Safari and IE8 Were the First to Fall at Pwn2Own

By Jane McEntegart
published

Apple's Safari browser was the first to fall at the annual Pwn2Own hacking contest taking place at the CanSecWest conference in Vancouver.

Every year, Pwn2Own sees security experts and hackers attempt to hack into machines by exploiting vulnerabilities in the computers' browsers. This year, both Apple and Google released last minute updates before the competition started. Despite this, Safari was the first to fall. Ars Technica reports that VUPEN, a French security company and the first to take a shot at Apple's browser, had gained control of the fully-patched Mac OS X 10.6.6 MacBook five seconds after the browser visited its specially-crafted web page. Despite Apple's update to Safari, the exploit still worked in version 5.0.4.

Next to go was Internet Explorer, which didn't receive an update prior to the competition. Stephen Fewer of Harmony Security managed to beat the 32-bit version of Internet Explorer 8 running on 64-bit Windows 7 Service Pack 1 using three separate vulnerabilities. Two of these were to achieve successful code execution within the browser, with the third being needed escape IE's Protected Mode sandbox. Fewer told Ars that it took him five to six weeks to put together the attack.

The hacker scheduled to take on Google’s Chrome on a Cr-48 Chrome OS notebook was a no-show.

Read more about the exploits and the hackers that beat Safari and IE8 on Ars Technica.

Jane McEntegart
28 Comments Comment from the forums
  • sabot00
    No surprises.
    Reply
  • kilo_17
    It fascinates me how they can crack these browsers in seconds.
    Reply
  • enzo matrix
    kilo_17It fascinates me how they can crack these browsers in seconds.Why? Considering:
    Fewer told Ars that it took him five to six weeks to put together the attack.
    Reply
  • JohnnyLucky
    Do the hackers reveal their methods?
    Reply
  • Mr_Bojangles
    kilo_17It fascinates me how they can crack these browsers in seconds.
    It fascinates me how people can take things so widely out of context. The amount of preparation is what you should look at, not the time frame from within the attack was executed.
    Reply
  • JMcEntegart
    kilo_17It fascinates me how they can crack these browsers in seconds.
    They come up with the exploits prior to the contest and then when the contest starts it's just a case of just running it. Still very impressive, though. Particularly when you consider the fact that Apple patched Safari the day before the competition. That could easily have neutralized VUPEN's exploit.
    Reply
  • masterjaw
    This only shows that Apple is no better than Microsoft in terms of security. The ones who claim that "Mac OS is more secure than Windows" is because of its Unix nature, not because of Apple. Heck, even Mac OS is easily defeated during hacking events.

    Makes you wonder how would be our security landscape if Apple did got 70-80% of world's computing resources.
    Reply
  • molo9000
    These headlines are misleading!
    Who falls first, second, third, etc. is all down to how the event is scheduled.
    Reply
  • chick0n
    masterjawThis only shows that Apple is no better than Microsoft in terms of security. The ones who claim that "Mac OS is more secure than Windows" is because of its Unix nature, not because of Apple. Heck, even Mac OS is easily defeated during hacking events.Makes you wonder how would be our security landscape if Apple did got 70-80% of world's computing resources.
    Steve will come out and say :

    "You use the internet wrong."
    Reply
  • slothy89
    JohnnyLuckyDo the hackers reveal their methods?Yes they do, to the owners of the failed software so they can patch the exploits. These guys are known as "White Hat" hackers, or Crackers.

    No, they do not publish them publicly to allow "Black Hat" hackers to exploit them for malicious purposes.

    This is a professional event designed to test and FIX issues with the worlds popular Browsers and OS's
    Reply