Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cloud
    • Cybersecurity
    • Development

    Apple Safari, Microsoft IE 8 Hijacked by Hackers at Pwn2Own Contest

    By
    Fahmida Y. Rashid
    -
    March 9, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Despite the last-minute update from Apple, Safari was the first to be cracked by security researchers on the first day of the Pwn2Own hacking contest.

      A team of security researchers from the French penetration test company VUPEN successfully exploited a zero-day flaw in Apple’s Safari browser to win the Pwn2Own challenge on March 9. Security researchers took turns trying to compromise the most up-to-date versions of Microsoft Internet Explorer, Apple’s Safari, Mozilla Firefox and Google Chrome on the first day of the hacking contest at CanSecWest in Vancouver, British Columbia.

      VUPEN cracked Safari in “5 seconds,” claimed several messages on Twitter from attendees.

      In contrast, the two contestants who signed up to hack Google Chrome were no-shows. Chrome survived day one, and Google gets to hang onto its $20,000 prize.

      VUPEN co-founder Chaouki Bekrar used a specially rigged Website that compromised a 64-bit version of a fully patched Mac OS X running on a MacBook. The three-man team spent about two weeks to find the vulnerability in WebKit, the open-source browser rendering engine Safari is based on, and to write the exploit, Bekrar told ZDNet’s Ryan Naraine, who was at the contest.

      The winning exploit bypassed ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X. The team had to launch the calculator application and write to a file on the computer to prove the exploit had successfully gained full user access on the hijacked machine.

      “The victim visits a Web page, he gets owned. No other interaction is needed,” Bekrar told Naraine.

      For the Internet Explorer portion of the contest, the prize went to Irish security researcher Stephen Fewer, according to Naraine. He successfully hacked into a 64-bit Windows 7 machine running Internet Explorer 8 using three different vulnerabilities and custom exploits. Fewer used two different zero-day bugs in IE that he’d found previously to get reliable code execution, and then exploited a third vulnerability that allowed him to jump out of the IE Protected Mode sandbox to get to the operating system.

      Like VUPEN, Fewer’s attack also successfully bypassed DEP and ASLR in Windows 7.

      VUPEN was the first contestant to crack Safari. There were three other researchers, including previous three-time winner Charlie Miller, but under the contest’s winner-takes-all rules, the competition was over as soon as VUPEN succeeded. VUPEN had also signed up to test Internet Explorer, but was slated to go second after Fewer, the first contestant for Internet Explorer.

      One contestant is scheduled for March 10, the second day of the contest, to attempt Mozilla Firefox, before the mobile platform portion of the contest begins, according to a spokesperson from TippingPoint ZDI, the contest’s sponsor. Contestants will begin with the Apple iPhone, followed by RIM BlackBerry, Samsung Nexus S running Android and Dell Venue Pro running Windows 7.

      Apple released a last-minute update that patched a number of vulnerabilities in Safari and iOS, but it appears that the target iPhones will not be running iOS 4.3, said Security Generation on Twitter. It is not clear at this time whether VUPEN compromised the new Apple Safari 5.0.4, which Apple had released hours before the contest.

      Google and Mozilla had patched their browsers the week before the contest, but Microsoft had not.

      Fewer won a $15,000 cash prize and a new Sony Vaio laptop running Windows 7 for being the first of the three researchers to hack the Windows browser. VUPEN claimed the other $15,000 cash prize and a 13-inch Apple MacBook Air running Mac OS X Snow Leopard for cracking Safari.

      Technical details of the exploits legally belong to TippingPoint under contest rules. TippingPoint will provide information to Microsoft and Apple and give them six months to fix the flaws before publicizing them.

      CanSecWest is not just about hacking. There were also several panels, such as the one by a pair of security researchers from Germany who demonstrated several techniques that enabled them to remotely reboot, shut down and completely disable many popular mobile phones with SMS messages.

      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×