Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cloud
    • Cybersecurity
    • Development

    Apple Safari, Microsoft IE 8 Hijacked by Hackers at Pwn2Own Contest

    By
    Fahmida Y. Rashid
    -
    March 9, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Despite the last-minute update from Apple, Safari was the first to be cracked by security researchers on the first day of the Pwn2Own hacking contest.

      A team of security researchers from the French penetration test company VUPEN successfully exploited a zero-day flaw in Apple’s Safari browser to win the Pwn2Own challenge on March 9. Security researchers took turns trying to compromise the most up-to-date versions of Microsoft Internet Explorer, Apple’s Safari, Mozilla Firefox and Google Chrome on the first day of the hacking contest at CanSecWest in Vancouver, British Columbia.

      VUPEN cracked Safari in “5 seconds,” claimed several messages on Twitter from attendees.

      In contrast, the two contestants who signed up to hack Google Chrome were no-shows. Chrome survived day one, and Google gets to hang onto its $20,000 prize.

      VUPEN co-founder Chaouki Bekrar used a specially rigged Website that compromised a 64-bit version of a fully patched Mac OS X running on a MacBook. The three-man team spent about two weeks to find the vulnerability in WebKit, the open-source browser rendering engine Safari is based on, and to write the exploit, Bekrar told ZDNet’s Ryan Naraine, who was at the contest.

      The winning exploit bypassed ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X. The team had to launch the calculator application and write to a file on the computer to prove the exploit had successfully gained full user access on the hijacked machine.

      “The victim visits a Web page, he gets owned. No other interaction is needed,” Bekrar told Naraine.

      For the Internet Explorer portion of the contest, the prize went to Irish security researcher Stephen Fewer, according to Naraine. He successfully hacked into a 64-bit Windows 7 machine running Internet Explorer 8 using three different vulnerabilities and custom exploits. Fewer used two different zero-day bugs in IE that he’d found previously to get reliable code execution, and then exploited a third vulnerability that allowed him to jump out of the IE Protected Mode sandbox to get to the operating system.

      Like VUPEN, Fewer’s attack also successfully bypassed DEP and ASLR in Windows 7.

      VUPEN was the first contestant to crack Safari. There were three other researchers, including previous three-time winner Charlie Miller, but under the contest’s winner-takes-all rules, the competition was over as soon as VUPEN succeeded. VUPEN had also signed up to test Internet Explorer, but was slated to go second after Fewer, the first contestant for Internet Explorer.

      One contestant is scheduled for March 10, the second day of the contest, to attempt Mozilla Firefox, before the mobile platform portion of the contest begins, according to a spokesperson from TippingPoint ZDI, the contest’s sponsor. Contestants will begin with the Apple iPhone, followed by RIM BlackBerry, Samsung Nexus S running Android and Dell Venue Pro running Windows 7.

      Apple released a last-minute update that patched a number of vulnerabilities in Safari and iOS, but it appears that the target iPhones will not be running iOS 4.3, said Security Generation on Twitter. It is not clear at this time whether VUPEN compromised the new Apple Safari 5.0.4, which Apple had released hours before the contest.

      Google and Mozilla had patched their browsers the week before the contest, but Microsoft had not.

      Fewer won a $15,000 cash prize and a new Sony Vaio laptop running Windows 7 for being the first of the three researchers to hack the Windows browser. VUPEN claimed the other $15,000 cash prize and a 13-inch Apple MacBook Air running Mac OS X Snow Leopard for cracking Safari.

      Technical details of the exploits legally belong to TippingPoint under contest rules. TippingPoint will provide information to Microsoft and Apple and give them six months to fix the flaws before publicizing them.

      CanSecWest is not just about hacking. There were also several panels, such as the one by a pair of security researchers from Germany who demonstrated several techniques that enabled them to remotely reboot, shut down and completely disable many popular mobile phones with SMS messages.

      Fahmida Y. Rashid
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×