Chrome Safe In Pwn2Own Contest
Chrome Safe In Pwn2Own Contest
Written by Harry Fairhead   
Saturday, 12 March 2011

IE8 and Safari were both hacked on the first day of the Pwn2Own contest but Chrome and Firefox survived.

As reported last month Google had offered an additional $20,000 dollars in addition to the hardware, cash and other prizes on offer in the annual Pwn2Own hacking competition that is part of the CanSecWest security conference.

It also went to great lengths to ensure it couldn't be hacked and paid nine researchers a total of $14,000 for finding vulnerabilities in its Chrome 9.0.597.107 browser. The outside researchers found 15 bugs, and Google identified four more and Google had patched all 19 flaws in time to meet the deadline.

In the event no-one even attempted the challenge as the individual challenger who has registered to hack Chrome was a no-show and the team that did turn up told the organisers they didn't have a Chrome exploit and targeted the BlackBerry instead. Leaving Chrome unexploited for the third year in a row.




Safari 5.3.0 was the first browser to be cracked. A team from French security firm VUPEN won the MacBook Air 13" running Mac OS X Snow Leopard, $15,000 cash and 20,000 ZDI points. VUPEN co-founder Chaouki Bekrar said a team of three researchers took two weeks to assemble the successful exploit which made the browser visit a malicious page they crafted which allowed them to exploit a vulnerability in the browser, bypass OS protections like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), launch the calculator app in order to prove they could execute arbitrary code on the system and write a file on the hard disk demonstrating that the sandbox had been exited - the two conditions needed to be filled in order to consider the attack successful.

While the techniques used to bypass operating system protections like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are well-known, the specific use and adaptation of these techniques on 64-bit Safari is unusual and required developing tools and attack code from scratch.

Apple released Safari 5.0.4, which patched some 60 security holes in the version that VUPEN exploited, the day before the competition took place. This wasn't in time for the contest since the rules now stipulate that the configuration to be attacked has to be frozen a week in advance However the successful exploit would have worked even if the attack target had been the newer Safari 5.0.4. Apple has now issued a patch to protect against it.

Internet Explorer 8 was also successfully exploited by Irish Metasploit developer Stephen Fewer who connected three different security holes to get around the browser's protected mode and other security mechanisms. Microsoft has also already fixed the vulnerability in IE8 and has stated that it didn't exisit in IE9 that is due to launch on March 14.

Per the rules of the competition, full details of the pwn2own attacks, including the bypass techniques, won't be published until vendors have issued patches.

Further Reading

Google offers $20,000 for a Chrome hack



Free Software Foundation Fun For Xmas

If you're looking for festive presents for programmers, the Free Software Foundation has some options that combine open software street cred with supporting open source and the GNU philosophy.

Imagine Cup 2018 Highlights Microsoft's Latest Technologies

The new slogan for the Imagine Cup is "Code With Purpose" and it is now underway. For 2018 there are new awards for Big Data, AI and Virtual/Augmented reality apps. Teams are encouraged to make an ear [ ... ]

More News

Last Updated ( Sunday, 20 March 2016 )

RSS feed of news items only
I Programmer News
Copyright © 2017 All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.