Topic: IE8 resisted the longest, but yeilded none the less

[toasty0]

VANCOUVER, BC — It took a while longer but Microsoft’s Internet Explorer 8 did not survive the hacker onslaught at this year’s CanSecWest Pwn2Own contest.

[ ALSO SEE: Pwn2Own 2009: Safari/MacBook falls in seconds ]


A security researcher named “Nils” (he declined to provide his full name) performed a clean drive-by download attack against the world’s most widely used browser to take full control of a Sony Vaio machine running Windows 7.

He won a cash prize and got to keep the hardware.  Details of the vulnerability, which was described by contest sponsor TippingPoint ZDI as a “brilliant IE8 bug!” are being kept under wraps.

Several members of Microsoft’s security response team were on hand to witness the successful exploit.

“Nils” also scored a clean hit against Apple’s Safari (he was the second hacker to exploit Safari) and, later in the afternoon, he exploited a Firefox zero-day flaw to claim the trifecta.

More to come…

[Nemesis]

Chrome didn't yield at all.

Link to full article

On a scale of 1-10, how impressive was the Nils’ sweep of exploiting all three main browsers?

I was surprised.  For IE 8, I’d give him a 9 out of 10.   For Safari, maybe a 2. It’s just too easy to pop Safari.   For Firefox on Windows, I give him a 10.  That was the most impressive of the three.  It’s really hard to exploit Firefox on Windows.

Note:  He made an error when talking about Nils, Nils got Firefox on Mac NOT on Windows.

You talked earlier about the value of vulnerabilities.  Was it a surprise that he (Nils) basically gave up three “high-value” bugs for $5,000 each?

It’s clear he’s incredibly talented.  I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs.  I’ve talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability.  I’d say $50,000 is a low-end price point.

For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs.  With the way they’re paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac.

Google Chrome was the one target left standing. Surprised?

There are bugs in Chrome but they’re very hard to exploit.  I have a Chrome vulnerability right now but I don’t know how to exploit it.  It’s really hard.  The’ve got that sandbox model that’s hard to get out of.  With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.

[ SEE: Pwn2Own hacker: Apple Safari is 'easy pickings' ]

I might have this bug and I might be able to get code execution.  But now you’r ein a sandbox and you have no permissions to do anything. You need another bug to get out of the sandbox. Now you need two bugs and two exploits.  That raises the bar.

Coming in, when I posted my predictions, I didn’t think anyone would get go after Chrome, IE or Firefox.  It’s all economics. It’s only hard or easy compared to what someone would pay.  If Pwn2Own offered $1 million per bug for Chrome, there would be a line of people here looking to bankrupt them.

I found the views of last years winner surprising.

[Nemesis]

Interview with Nils:

Link to full article

A day after his perfect sweep of the breaking into fully patched default configurations of all three main Web browsers — Microsoft Internet Explorer, Mozilla Firefox and Safari for Mac OS X — the researcher sat down with me to explain his motivations, the reasons he opted not to sell the vulnerabilities for big money and to spread the word that he’s looking for a job after completing his studies.

Let’s go through your accomplishment here. On a scale of 1-10, how do you rate the difficulty of exploting these bugs.  Start with Safari on Mac OS X…

For that bug, I’d rate it a 5.  Not because Safari on Mac is a harder target but because of the kind of vulnerability. 

How about the Firefox on Windows exploit?

Let me correct something.  It was a Firefox on Mac OS X vulnerability and exploit.

I'd like to see a list of what Browser/OS pairings were tested and which ones were broken and how fast.  So far I haven't seen such a list.

[Nemesis]

I found a list of the OS/Browser pairing but not of which were cracked.  I added to it those that I have seen explicitly listed as cracked or not.  That leaves the question was Firefox on Windows cracked?

Vaio - Windows 7

        * IE8  -  Cracked
        * Firefox
        * Chrome  - NOT  Cracked

Macintosh

        * Safari  -  Cracked
        * Firefox  -  Cracked

They didn't include either Opera for the browser or Linux for the OS this year.   Too bad.

[toasty0]

Is the event over? I thought it was still in progress?

[Nemesis]

Is the event over? I thought it was still in progress?

Link to source

Pwn2Own Wrap Up

    * By Terri Forslof
    * Sat 21 Mar 2009 09:30am
    * 4530 Views
    * 1 Comments
    * Link

We are all wrapped up from this years CanSecWest and pwn2own contest, and again it was a great conference, and a successful competition. The contest uncovered 4 new and unique critical vulnerabilities affecting the latest and greatest versions of IE, Safari and FireFox. The Chrome browser gets a small nod for being impacted by one of the flaws, although exploit is not possible using any current known techniques. I’m sure they’ll get it fixed up just the same.

It appears to have ended a couple of days ago.

[Nemesis]

Mozilla has released a Firefox patch to cure this defect.