Well, well, well. Steve Jobs wouldn’t be sitting easy after reading this. Safari on Mac OS X fell to hackers at Pwn2Own contest in just 5 seconds! That’s incredibly scary by any means but the good news is, the exploits used to do this aren’t going to be released in the wild for wrong usage. A close second was Internet Explorer 8 ( who uses that? Get IE9! ), which fell to three different vulnerabilities and custom exploits.
Both hacks were performed by bypassing ASLR ( Address Space Layout Randomization) and DEP ( Data Execution Prevention ) in OS X and Windows 7. These security features are in place in these operating systems to, well, defend from these types of hacks but it turns out, they’re not doing a good job. Specially OS X and Safari – all you need to do to get hacked is visit a website with the exploit and you’re it.
The browsers participating in this contest are:
- Microsoft Internet Explorer
- Apple Safari
- Mozilla Firefox
- Google Chrome
All of these were installed on 64 bit versions of either OS X or Windows 7. The prizes included:
- Sony Vaio running Windows 7
- Alienware m11x running Windows 7
- Apple MacBook Air 13″ running Mac OS X Snow Leopard
- Google CR-48 running ChromeOS (no attacks against this device, it is merely a prize. The Chrome target will be running on the other laptops)
A successful hack of IE, Safari, or Firefox will net the competitor a $15,000 USD cash prize, the laptop itself, and 20,000 ZDI reward points which immediately qualifies them for Silver standing. Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions in 2011, 25% reward point bonus on all ZDI submissions in 2011 and paid travel and registration to attend the DEFCON Conference in Las Vegas.
As for Chrome, the contest will be a two-part one. On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.
Keep in mind that Google Chrome will be given another shot tomorrow. So there’s a good chance it might fall to hackers. Tomorrow, mobile phones will also be on the line which includes Windows Phone 7, iOS, Blackberry and Android. Weirdly, we’re hearing that the iPhone at Pwn2Own wont be running iOS 4.3 which now includes ASLR too.
It’s an interesting start to the competition and we are eager to see if Mobile Safari falls or falls as fast as its desktop counterpart on the iPhone. Last year, iPhone’s SMS database was breached at Pwn2Own so expect some more fireworks this time.
George Hotz was to appear at Pwn2Own to take a crack at Windows Phone 7 but he withdrew due to his legal fight against Sony. On the other hand, Microsoft really needs to fix Internet Explorer and all its sand boxed protection techniques that they so boast of. Firefox has been rather tame in the competition but I get a feeling open source browsers aren’t the number 1 choice for a target by hackers.
Stay tuned for more Pwn2Own coverage!