Microsoft Subnet An independent Microsoft community View more

Pwn2Own 2011: Hackers Shame Safari and IE8 on Day One

The big surprise is not that IE8 or Safari were shamed, it's that no one tried to topple Chrome and Google's offer to pay an additional $20,000 to the first hacker to crack that browser.

Well it's March and time for the fifth annual Pwn2Own hacker challenge at CanSecWest security conference. The big surprise is not that IE8 or Safari were shamed on day one, it's that no one took on Chrome and Google's offer to pay an additional $20,000 to the first hacker to crack that browser.

The rules of the high-stakes hack are if a security researcher can compromise the browser, controlling it to run arbitrary code through a previously undisclosed exploit, the hacker who pwns the hardware can then walk away with it, own it, and $15,000 in prize money. Another rule is that no technical details from winning hacks can be publicly disclosed. TippingPoint, the security company that sponsors Pwn2Own, pointed out that vendors have six months to fix any vulnerabilities exploited at Pwn2Own before TippingPoint goes public with the flaws' technical information.

Google patched 25 Chrome vulnerabilities before the infamous CanSecWest Pwn2Own hacking contest. In an anti-pwn2own attempt, Apple updated Safari to 5.0.4 and patched 62 vulnerabilities. Microsoft did not even attempt to patch IE8 before Pwn2Own. Instead the mighty M got serious about a marketing campaign countdown, begging folks to stop using IE6. After Pwn2Own 2010 last March, Microsoft took until June to patch that vulnerability.

This year, the first to be quickly shamed was Safari on a Macbook Air. It involved a use-after-free flaw in the Apple browser and took only 5 seconds! Ars Technica reported, "French security firm VUPEN was first to attack the browser, and five seconds after the browser visited its specially-crafted malicious web page, it had both launched the platform calculator application (a standard harmless payload to demonstrate that arbitrary code has been executed) and wrote a file to the hard disk (to demonstrate that the sandbox had been bypassed)." VUPEN waltzed out with $15,000 and a new MacBook Air.

Contestants needed to escape the security sandbox which is "Protected Mode" on Internet Explorer. The sandbox supposedly stops write access to the registry keys and operating system, theoretically stopping such practices as malicious software being subversively installed on a computer. But that didn't help Microsoft as on the first day of Pwn2Own, the next hacker up, Irish security researcher Stephen Fewer of Harmony Security, exploited three different vulnerabilities to crack out of "Protected Mode," hack into a 64-bit Windows 7 (SP1) running IE8, and win a new Windows laptop and $15,000. ZDNet reported that Fewer, "a Metasploit developer who specializes in writing Windows exploits, used two different zero-day bugs in IE to get reliable code execution and then chained a third vulnerability to jump out of the IE Protected Mode sandbox."

Sadly, Pwn2Own 2011 was without champion Geohot who is currently busy in a legal battle with Sony for unlocking the PlayStation 3 gaming console. Geohot had planned to jailbreak a Windows Phone 7 device, the Dell Venue Pro. Charlie Miller, three-time Pwn2Own winner, also had an Apple Safari exploit ready.

Although Google offered an additional $20,000 to any team or individual who could successfully crack Chrome, no one took up the challenge. Engadget reported that the two takers, Team Anon and an individual, were busy elsewhere and pulled a no show.

Today, day two of Pwn2Own, will focus on attacking the smartphone platforms of Windows 7 Mobile, iPhone 4, BlackBerry Torch 9800, and a Nexus S running Google's Android.

Like this? Check out these other posts:

Follow me on Twitter @PrivacyFanatic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10