Sign in with
Sign up | Sign in

IE8, Firefox and Safari Hacked to Bits at Pwn2Own

By - Source: Tom's Hardware US | B 32 comments

Firefox, IE8 and Safari have all been successfully hacked at CanSecWest's Pwn2Own event.

For the last two Pwn2Own contests, Charlie Miller has been first to gain access by exploiting vulnerabilities in Safari. This year, Charlie turned his streak into a hat trick.

Miller is keeping the details of his exploit under wraps for now, but CNet reports that the security analyst successfully gained remote access to a MacBook Pro by exploiting a vulnerability in Safari. Miller directed MacBook Pro running Snow Leopard to a Web site that contained malicious code. Miller will walk away with the $10,000 cash prize.

Meanwhile, IE8 and Firefox have also been hacked. ZDNet reports that Peter Vreugdenhil, an independent researcher, exploited two vulnerabilities in IE8 to break into a machine running a fully patched version of 64-bit Windows 7.

Vreugdenhill revealed to ZDNet that he used fuzzing to uncover the holes.

"I specifically looking through my fuzzing logs for a bug like this because I could use it to do the ASLR bypass," he told the site, referring to Microsoft's address space layout randomization. "I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP (data execution prevention) bypass,” Vreugdenhil explained.

The research says that once he had found the vulnerability, it took him two weeks to write his exploit and he received $10,000 for his troubles.

A contestant who wished only to be known as Nils broke through Firefox, also running 64-bit Windows 7. ComputerWorld reports that a half hour after Vreugdenhill, Nils bypassed the same defensive mechanisms to exploit Mozilla's Firefox 3.6 and also won $10,000.

Tipping Point, the security company sponsoring the event, will be sending details of the flaws details to all affected companies this Friday.

Read more about the hacks here.

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 31 Hide
    milktea , March 25, 2010 6:36 PM
    I better stop using Firefox, IE8, Safari, and ... my computer.
  • 21 Hide
    Anonymous , March 25, 2010 7:15 PM
    What about Google Chrome?
  • 21 Hide
    scuba dave , March 25, 2010 6:36 PM
    All i have to say is.. I need to switch majors.. 10,000 bucks for less than a month of work? Sold!
Other Comments
    Display all 32 comments.
  • -8 Hide
    bison88 , March 25, 2010 6:33 PM
    So does that mean Opera 10 users are safe?
  • 21 Hide
    scuba dave , March 25, 2010 6:36 PM
    All i have to say is.. I need to switch majors.. 10,000 bucks for less than a month of work? Sold!
  • 31 Hide
    milktea , March 25, 2010 6:36 PM
    I better stop using Firefox, IE8, Safari, and ... my computer.
  • -8 Hide
    amabhy , March 25, 2010 6:36 PM
    Give people money and prizes and anything can be hacked. I'm surprised tech companies don't hire professional hackers (or crackers, as the good guys like to be called) to find holes so they can fix em early.
  • 20 Hide
    Mottamort , March 25, 2010 6:48 PM
    Quote:
    I'm surprised tech companies don't hire professional hackers (or crackers, as the good guys like to be called) to find holes so they can fix em early.


    I think they do that already :) 
  • 14 Hide
    hellwig , March 25, 2010 6:52 PM
    bison88So does that mean Opera 10 users are safe?

    Uh, sadly no. While I use Opera myself, it more than likely means they didn't waste time hacking a web browser only 1.5% of us use.
  • -4 Hide
    aneasytarget , March 25, 2010 6:58 PM
    The key point is that you have to go to a specific website. If you go to trusted websites, less chance of being hacked.
  • 17 Hide
    warezme , March 25, 2010 6:58 PM
    Hey look I hacked Opera!!!!....., (sounds of crickets in the background)
  • 8 Hide
    war2k9 , March 25, 2010 7:05 PM
    There is no such thing as 100% safe from hacks.
  • 21 Hide
    Anonymous , March 25, 2010 7:15 PM
    What about Google Chrome?
  • 3 Hide
    dgingeri , March 25, 2010 7:15 PM
    yet all this can be avoided by avoiding either untrusted sites or allowing scripting on sites you don't trust but want to visit. I'm good with that. Firefox with Noscript, AdBlock plus, and flash blocker is good for me. Couple that with Spybot's immunize function and it's almost invulnerable. No viruses, trojans, or other malware for over 7 years now. (Not counting BitDefender's little false positive that brought my system down on Saturday. That was an inside job and a malfunction.)
  • 13 Hide
    dgingeri , March 25, 2010 7:16 PM
    war2k9There is no such thing as 100% safe from hacks.


    There are 2 ways to prevent hacking 100%: not having your computer hooked to the internet in any way, or simply not using a computer.
  • 4 Hide
    masop , March 25, 2010 7:21 PM
    war2k9There is no such thing as 100% safe from hacks.


    Remove network cable and/or phone cable from computer, disable lan card, disable wireless card and modem port if applicable. Remote hack is not possible at that point, but the computer would be releatively worthless, as most computers in the world have some type of connectivity to the internet. Oh well, what can you do? Vulnerabilities are a side effect of life itself; especially when technology is involved. :-)
  • -1 Hide
    scuba dave , March 25, 2010 7:27 PM
    dgingeriThere are 2 ways to prevent hacking 100%: not having your computer hooked to the internet in any way, or simply not using a computer.


    And what happens when someone goes "The Net" on you?(Old Sandra Bullock movie)

    With how everything is going digital nowadays, there is no solid way to be 100% safe from the right hacker, who is 100% determined to mess your life up. Its just a matter of whether you are fortunate enough to not be noticed and/or not be a desirable enough target to them. And desirable, for the record, can mean almost anything.
  • 0 Hide
    maestintaolius , March 25, 2010 7:52 PM
    amabhyGive people money and prizes and anything can be hacked. I'm surprised tech companies don't hire professional hackers (or crackers, as the good guys like to be called) to find holes so they can fix em early.

    they do
  • 0 Hide
    ben850 , March 25, 2010 8:32 PM
    i'll stick to sub7 /sarcasm
  • 11 Hide
    Shadow703793 , March 25, 2010 8:32 PM
    My question is, would NoScript have been able to block the Fire Fox attack?
  • 1 Hide
    cryogenic , March 25, 2010 9:11 PM
    JmeNdriksWhat about Google Chrome?


    No one attempted to hack Google Chrome (according to arstechnica.com). Chrome was patched for a series of critical vulnerabilities a few days before Pwn2Own. I personally don't put my entire believe in coincidences, and this one is somewhat funny ...
  • 0 Hide
    hoof_hearted , March 25, 2010 9:56 PM
    war2k9There is no such thing as 100% safe from hacks.


    Confiker uses autorun.inf and jumpdrives. No network needed. If one of these sits dormant on your PC, then the one day you hook up, snap.
Display more comments