IE8, Safari, iPhone, BlackBerry exploited in Pwn2Own contest

No efforts were made to attack Chrome, Firefox, Android, or Windows Phone 7 in the annual hacker contest at CanSecWest.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

Researchers competing for $15,000 awards were able to successfully attack Internet Explorer 8 on Windows 7, Safari on Mac OS X, the iPhone 4, and the BlackBerry Torch 9800 in an annual hacker contest at the CanSecWest security conference this week.

For a variety of reasons, no efforts were made to attack Chrome, Firefox, Android or Windows Phone 7, the organizer of the Pwn2Own contest told CNET today.


One team of experts that had an exploit prepared to try against Windows 7 had to withdraw because of travel issues, according to Aaron Portnoy, manager of security research for HP DV Labs and lead for the ZDI (Zero Day Initiative) program that sponsors Pwn2Own.

Windows 7 also was going to be a target for George Hotz, who goes by the hacker name "Geohot," but he withdrew to focus on his legal defense, Portnoy said. Hotz has been sued by Sony for allegedly violating copyright laws by distributing tools that jailbreak the PlayStation 3, which allows home brew and pirated applications to be played on the console.

Another contestant who was going to target Safari, Android, and iPhone withdrew at the request of his company, Portnoy said, declining to identify the contestant or his employer or to speculate why. And Duo Security researcher Jon Oberheide said he blew his chances at exploiting Android in the contest by incorrectly assuming that a bug he recently found and reported to Google directly was ineligible for the event.

The team that successfully exploited the BlackBerry also was planning to attack Chrome, but spent their time on exploits for other targets, he said. Portnoy said he believed they would have been able to exploit Chrome because he "can attest to their skill."

On Wednesday, Chaouki Bekrar of French security company Vupen was able to attack Safari by using a drive-by download. Ireland-based researcher Stephen Fewer of Harmony Security exploited several bugs to defeat the memory protections in IE8, as well as bypass DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) on a laptop running Windows 7.

Fewer's IE exploit was the most impressive of the contest, according to Portnoy. "He had three different vulnerabilities he used in tandem to exploit IE and break out of IE's protected mode, which is Microsoft's equivalent to sandbox architecture," he said. "It was a unique technique he discovered."

Meanwhile, Internet Explorer 9 does not contain the bug Fewer used in the contest, according to Microsoft. A fix for IE8 is being worked on, Jerry Bryant, a group manager with the Microsoft Security Response Center, told Computerworld.

Yesterday, three researchers--Willem Pinckaers, Vincenzo Iozzo, and Ralf-Philipp Weinmann--used three bugs to exploit the BlackBerry browser and run their attack code on the device. Charlie Miller, who successfully defeated Safari on the Mac the past three years, used a new exploit he created with colleague Dion Blazakis to run code on the iPhone after surfing to a Web page hosting malicious code.

Miller, a researcher at Independent Security Evaluators, noted that the iOS 4.3 software Apple released on Wednesday includes ASLR, which would somewhat mitigate his exploit. "The vulnerability I found is still in there, but it would be harder to write for it today than it would have been a few days ago," he said in a phone interview.

Through the Zero Day Initiative the Pwn2Own winners share the exploits with the companies whose software is affected so they can be patched. Researchers who hold exploits they weren't able to try in the contest can also report them through the disclosure program and get paid.

"It was nice to see that some of the platforms that didn't go down last year went down this year, like the BlackBerry," Portnoy said. "Media and public perception makes it seem that these devices are impenetrable if they weren't hacked at the contest," which is not the case.

In addition to cash prizes, winners in the contest receive laptops or smartphones, depending on the platform they target. Google also had said it would pay $20,000 to anyone who successfully attacked Google code as part of the Chrome contest. CanSecWest was held in Vancouver, Canada, this week.