IE8, Safari, iPhone Fall at Pwn2Own

Tagged: hackers, Technology
Source: PCMAG - Read the full article
Posted: 4 years 35 weeks ago

The annual Pwn2Own contest at CanSecWest is underway, and on the first day Web browsers fell to attack. Internet Explorer 8 and Firefox 3.6.2 on 64-bit Windows 7 and Safari on OS X all were forced to run exploit code. To add insult to injury, an iPhone was cracked and the SMS database lifted from it.

The IE exploit is the most interesting because it bypasses both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), albeit in a very cumbersome way, The researcher, Peter Vreugdenhil, explains exactly what he did in a paper on his web site.

Pwn2Own rules require the exploit code to read a particular file on the system in order to register that the exploit has run. But could Vreugdenhil's exploit have written to the disk? It's not clear. Web pages in IE7 on Vista and IE8 on Vista and Windows 7 both run in "Protected Mode," a special crippled user context in which the browser only has write access to the temporary Internet files directories. While exploit code could do some malicious things under Protected Mode restrictions, it could not, for example, set itself up to run at boot or login.

The Firefox exploit was performed by Nils (no last name given) of U.K.-based MWR InfoSecurity. Nils is contractually prevented from disclosing the exact details of the exploit for now. He indicated that the hard part of it, as with IE8, was bypassing ASLR and DEP. But Nils also implied that Firefox did a bad job of opting in to ASLR, so perhaps that's a clue to what he did.

Over on the Apple front, Charlie Miller exploited a critical Safari vulnerability on a MacBook. Details on this hack are also under wraps until Apple gets a chance to address it.

And finally, Vincenzo Iozzo and Ralf Philipp Weinmann were successful in hijacking an iPhone through a malicious web page. Among other things, they were able to read the entire SMS database, including text messages that had already been deleted, and upload them to a server they controlled.

 

Comments

Anonymous

I remember when the web was a fun concept. Guss I'm getting old.