Monday, March 14, 2011

IE8 and Safari hacked at Pwn2Own, nobody tries Chrome

Hackers successfully compromised Safari and Internet Explorer during the first day of Pwn2Own. The event began yesterday at 3:30PM PT and a group from French security firm Vupen exploited Safari 5 running on a MacBook Air in only five seconds, according to Computerworld. That's despite Apple releasing a last minute patch (v5.0.4) to prevent contestants from using known bugs. In addition to keeping the MacBook Air, the team earned a smooth $15,000 for its accomplishment.

Microsoft decided against updating Internet Explorer 8 ahead of Pwn2Own, presumably because it would have come outside of the company's traditional patch cycle. IE8 also fell to its first attacker, Stephen Fewer of Harmon Security. Fewer reportedly used three separate vulnerabilities to escape Protected Mode and bypass ASLR and DEP on Windows 7, something event organizer Aaron Portnoy hasn't seen before at Pwn2Own. Fewer also won $15,000 and the compromised system.



Despite Google's hefty $20,000 prize, no one has even attempted to hack Chrome. Only two parties registered for Chrome but the first contestant was a no-show and the second team wanted to focus on their BlackBerry vulnerability. The $20,000 offering only applied to the first day, but someone could still win $10,000 if they successfully exploit the browser before the event ends on March 11. Hackers will try their hand at Firefox and various mobile platforms today and tomorrow.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...