The recently concluded Pwn2Own contest—a lucrative hacking competition held as part of the annual CanSecWest conference—saw all four major internet browsers get their soft(ware) underbellies exposed. Three of the ten browser bugs exposed at the two-day event were in Firefox, which emerged as the second-most pwned browser at the event behind Internet Explorer. But there’s one area where Mozilla has clearly left its competitors behind.
Could the world use yet another browser? Sure, if security is at the forefront of your mind. At the annual Pwn2Own hacking contest that took place this week, Internet Explorer, Firefox, Chrome, and Safari all fell prey to remote code execution exploits by the second day. Not to make a mountain out of a mole hill, this isn't unusual, as every year hackers gather at CanSecWest's conference to show off their skills for prizes.
Google Chrome has amassed quite a favorable reputation for security with both users and security researchers. To its credit, it is the only web browser to have never been hacked at the annual Pwn2Own hacking competition. In fact, on the first day of this year’s Pwn2Own contest (Mar 9-11), Google even offered a $20,000 cash prize to anybody who could circumnavigate the browser’s sandbox “using vulnerabilities purely present in Google-written code.” While no one managed to claim the prize back then, researcher from French security firm VUPEN now claim to have finally “Pwnd Google Chrome and its sandbox.” Hit the jump for more.
Apple earlier today updated its Safari browser to version 5.0.4, plugging up 62 security holes in the process. Even so, it took French security firm Vupen just 5 seconds to exploit the browser and take home a $15,000 bounty from TippingPoint for doing so. This marks the first time in four years that Charlie Miller, an analyst with Security Evaluators, wasn't first to crack the Safari browser in the annual Pwn2Own contest. And what of Microsoft's IE8 browser? It didn't fare much better.
Microsoft is either supremely confident in it’s latest revision of Internet Explorer 8, or they’ve already come to terms with the reality that if you put enough hackers in one room, no amount of patching will save them. Either way the software giant announced on March 4th that it wouldn’t be issuing any security patches before the annual Pwn2Own hacking event which runs from March 9th to 11th in Vancouver Canada. If this holds true, they will be the only major browser contender to do so.
In the grand scheme of things, relatively few people ever claim $20,000 for a day's worth of work. You can be one of them, provided you put your hacker hat on and attend the Pwn2Own contest next month. Google's challenge is this: Be the first to "pop [the Cr-48's Chrome] browser and escape the sandbox using vulnerabilities purely present in Google-written code" and the bounty, as well as the laptop, are both yours to keep, TippingPoint said in a blog post.
"If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope," TippingPoint said.
TippingPoint has put up a total cash pool of $125,000 in this year's Pwn2Own contest, with only $20,000 coming from outside funding (Google). This is the first time Google has offered a cash prize as part of the event, though it's worth mentioning that Chrome was the only browser to remain unscathed during last year's contest.
A handful of hackers will leave CanSecWest's security show a little richer than when they arrived after participating in the annual Pwn2Own contest. Charlie Miller, for example, won $10,000 for hacking Safari on a MacBook Pro without having physical access to the rig. You may recall that Miller, a principal security analyst at Independent Security Evaluators, walked away with $5,000 last year for exploiting a hole in Safari, and $10,000 for hacking a MacBook Air in 2008.
Safari wasn't the only software to fall. Peter Vreugdenhil won $10,000 for hacking Microsoft's Internet Explorer 8 browser, while Nils, head of research at UK-based MWR InfoSecurity, collected the same amount for exploiting Firefox on Windows 7-64 bit (Nils declined to provide his last name).
Both Ralf Philip Weinmann and Vincenzo Iozzo will share a $15,000 prize for hacking Apple's iPhone. They did so with an exploit written two weeks ago designed to steal the contents of the SMS database.
"The payload executes and uploads the local SMS database of the phone to the server we control," Weinmann said.
It was a year ago that security researcher Charlie Miller walked away with $10,000 for hacking into a MacBook Air with Safari in just two minutes during the annual Pwn2Own competition, and earlier this month Miller predicted Safari would be the first to fall at this year's event. Miller made good on that promise this week by using a prepared exploit to gain full control of the device in about 10 seconds.
"It's not easy, but this worked with one click [from the Safari browser]", Miller said.
Miller had discovered the exploit last year, which allows a remote attacker to take over a machine if a user clicks on a malicious URL. Details of the exploit, which Miller isn't allowed to divulge, will be shared with Apple from contest sponsor TippingPoint so that Apple can develop a patch.
On the same day, a 25-year-old computer science student at the University of Oldenburg in Germany demonstrated exploits in IE8, Safari, and Firefox, earning him a cool $15,000 ($5,000 per exploit), along with getting to keep the Sony Vaio P series notebook he used (Miller pocketed $5,000 and a MacBook Air).
While three major browsers succumbed to hacking attempts on day one, no mobile exploits have yet been successful. Mobile exploits carry the biggest reward for contest participants, with TippingPoint offering $10,000 for each successful exploit in the major smartphones.