Safari, Firefox, and IE8 hacked; Chrome left untested

Day 1 of Pwn2Own has just wrapped up and the results so far mimic those of last year. Hackers have claimed victory over all browsers and operating systems except Google's Chrome browser, which no one attempted to hack

Safari 4 on 10.6 Snow Leopard was the first to fall to a very familiar face, Charlie Miller. This is Miller's third year in a row hacking Safari at Pwn2Own. For this year, Miller set up a remote exploit at a web site through which a conference organizer's Macbook was taken control after surfing to it. 

Up next was Internet Explorer 8, which was successfully breached by Peter Vreugdenhil, a Dutch security researcher. Vreugdenhil used a four layer attack to bypass DEP and ASLR on Windows 7 after an organizer surfed to the website that contained the exploit code. He claimed that it took him less than a week to code the exploit.

Nils from MWR InfoSecurity then successfully targeted and hacked Firefox 3 on 64-bit Windows 7 using calc.exe, though he claimed that he "could have started any process" to demonstrate the exploit. Though a memory corruption vulnerability was used for the attack, he also had to bypass DEP and ASLR as Peter did with IE8. He claims it only took a few days to code the exploit. Nils is a German CS student at the University of Oldenburg who had also successfully hacked IE8, Safari, and Firefox at last years Pwn2Own.

Google Chrome was the only one left standing because no one even attempted a go at it. Charlie Miller's comments from last year's Pwn2Own might shed some more light as to why Chrome was left unscathed:  "There are bugs in Chrome but they’re very hard to exploit.  I have a Chrome vulnerability right now but I don’t know how to exploit it.  It’s really hard.  They’ve got that sandbox model that’s hard to get out of.  With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox."

All successful competitors receive $10,000 USD and their hacked laptop as reward. The following laptops are available as prizes: Apple Macbook Pro 15", HP Envy Beats 15", Sony Vaio 13", and Alienware M11x. They also receive 20,000 ZDI points which qualifies them for a $5,000 USD payment, 25% reward points on 2011 ZDI entries, 15% monetary bonus on 2011 ZDI entries, and a paid trip and registration to DEFCON in Las Vegas. 

All systems and browsers were updated to the latest versions and left in their default state for the contest. Details of the successful exploits will remain withheld from public until the respective software vendor issues a patch. 

Report a problem with article
Previous Story

iPhone hacked via Safari, SMS database stolen

Next Story

250GB Hard Drive now available for Xbox 360

67 Comments

Commenting is disabled on this article.

I seriously think there should be some kind of clarifications on how extensive are the exploits, especially when it comes to sandboxing. It's a little unfair to say IE8's sandboxing failed because the contest doesn't require attacks to obtain write-access, which is what IE8's sandbox blocks.

It's interesting that hackers couldn't bother hacking Chrome + Win7 combo due to complexity though (for now).

I said it before and I will say it again, you are only as secure as the user. Your house may be very secure, forget to lock the doors and your screwed. Same for a browser/OS. If you dont know what you are doing, you are screwed.

OSX may not be popular to attack/hack...but they are still prone to phishing and account/id attacks. This is what gets a lot of users.

From one of the links

After finding the IE 8 vulnerability, Vreugdenhil said it took about two weeks to write an exploit to get around the ASLR+DEP mitigations.

From Neowin

. He claimed that it took him less than a week to code the exploit.

Anyone know if IE8 protected mode was attacked?

Fuzzing........nice......

A year (or 2) ago I would have been surprised at FF being included... but it has REALLY gone downhill lately. Bloated, slow running, glitching pile. I still use it, like right now, for some things... but have finally started using Chrome for other things that FF simply can not run, like Java based Poker games that lag down the computer worse than Bioshock II. DOn;t think FF will even be around in another year if they don't fix some things.

TheMega said,
A year (or 2) ago I would have been surprised at FF being included... but it has REALLY gone downhill lately. Bloated, slow running, glitching pile. I still use it, like right now, for some things... but have finally started using Chrome for other things that FF simply can not run, like Java based Poker games that lag down the computer worse than Bioshock II. DOn;t think FF will even be around in another year if they don't fix some things.

Firefox has now a big market share *not as big as IE, in comparison with previous years. It's normal that Hackers attack what are more popular.

And yes, FF has been presenting sluggish performance over the years, this is because of the addons which powers down the browser. The same happens with IE, if use it (which is very rare) I use it with all the addons disabled except for Flash and Mcafee.

dont know if it's the same bug in calc used to exploit but you can crash calc doing: 10 / 0. you get a devide by zero error, than calc crashes, cannot reset, nothing.

i did report this during beta and the rc stages of win7, curious if it's the same bug......

bitflusher said,
dont know if it's the same bug in calc used to exploit but you can crash calc doing: 10 / 0. you get a devide by zero error, than calc crashes, cannot reset, nothing.

i did report this during beta and the rc stages of win7, curious if it's the same bug......

No crash here. Just says, "Cannot divide by zero"

bitflusher said,
dont know if it's the same bug in calc used to exploit but you can crash calc doing: 10 / 0. you get a devide by zero error, than calc crashes, cannot reset, nothing.

i did report this during beta and the rc stages of win7, curious if it's the same bug......

just tried that, doesn't crash, just says you can't divide by zero (as expected)

bitflusher said,
dont know if it's the same bug in calc used to exploit but you can crash calc doing: 10 / 0. you get a devide by zero error, than calc crashes, cannot reset, nothing.

i did report this during beta and the rc stages of win7, curious if it's the same bug......


works fine for me on win7 64, no crash

Lepton said,
Pretty quiet in here. Where's all the Windows 7 fanboys?
They are targeting web browsers, not OS's. You are just trolling...

ajua said,
They are targeting web browsers, not OS's. You are just trolling...

I think he was referring to the integrated, default, and Microsoft-promoted browser in Windows 7. *sigh*

Edited by Northgrove, Mar 25 2010, 10:39am :

Northgrove said,

I think he was referring to the integrated, default, and Microsoft-promoted browser in Windows 7. *sigh*

Which seems just as secure as Apple's default and promoted Safari on Mac OSX

I understand they were going to be testing on Windows Vista x86 with IE8 installed, right? I'd like to see some additional information on what "breed" of Windows 7 was the IE8 crack performed...I mean something in the line of Windows 7 x64 with IE8, or Windows 7 x86 with IE8, e.tc.

Anyone knows?

Tola1005 said,
I understand they were going to be testing on Windows Vista x86 with IE8 installed, right? I'd like to see some additional information on what "breed" of Windows 7 was the IE8 crack performed...I mean something in the line of Windows 7 x64 with IE8, or Windows 7 x86 with IE8, e.tc.

Anyone knows?

Jumping through a series of anti-exploit roadblocks, Dutch hacker Peter Vreugdenhil pulled off an impressive CanSecWest Pwn2Own victory here, hacking into a fully patched 64-bit Windows 7 machine using a pair of Internet Explorer vulnerabilities.

http://blogs.zdnet.com/security/?p=5855&tag=wrapper;col1

lordcanti86 said,
Looks like that emergency Apple patch really worked wonders

Same wonders that Microsoft's patches and Firefoxes patches work.

REM2000 said,
Same wonders that Microsoft's patches and Firefoxes patches work.
He's talking about the large security patch Apple brought out a few days ago.

Google Chrome was the only one left standing because no one even attempted a go at it. Charlie Miller's comments from last year's Pwn2Own might shed some more light as to why Chrome was left unscathed: "There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They’ve got that sandbox model that’s hard to get out of.

Doesn't IE8 also run in a sandbox model similar to that of Chrome? I remember reading on uninformed.org about that very topic.

Here's the arstechnica link for it: http://arstechnica.com/securit...oogle-reverse-engineer.ars/

/- Razorfold said,

Doesn't IE8 also run in a sandbox model similar to that of Chrome? I remember reading on uninformed.org about that very topic.

Apparently, Chrome's sandbox blocks read access to the hard drive, while Internet Explorer's sandbox only blocks write access. Why? Because Chrome doesn't sandbox plugins like Flash. Internet Explorer does sandbox plugins. But the point of this competition is to get read access, so IE's protected mode is no help.

rfirth said,

Apparently, Chrome's sandbox blocks read access to the hard drive, while Internet Explorer's sandbox only blocks write access. Why? Because Chrome doesn't sandbox plugins like Flash. Internet Explorer does sandbox plugins. But the point of this competition is to get read access, so IE's protected mode is no help.

That also means a flaw in Adobe Flash could cause a system to be exploited in Google Chrome even worse than in Internet Explorer. Interesting...

shinji257 said,

That also means a flaw in Adobe Flash could cause a system to be exploited in Google Chrome even worse than in Internet Explorer. Interesting...


No, IE block write access only but Chrome block read and write access.That makes chrome more difficult to exploit than IE

Edited by still1, Mar 25 2010, 5:00pm :

Redestium said,
Apple should be ashamed for falling so easily.

So Microsoft and Firefox should be proud for falling quickly after..?

Edited by Kookaburra, Mar 25 2010, 5:21am :

Redestium said,
Apple should be ashamed for falling so easily.

And MS having IE 8 for being alone with a sandbox with Chrome, but still failing.

That's really pretty serious.

Redestium said,
Apple should be ashamed for falling so easily.

IE8 failed just a quickly, so Microsoft should be ashamed.

"Google Chrome was the only one left standing"

The only one huh? Where is the mention of Opera being hacked then?

Very misleading

Blaxima said,
"Google Chrome was the only one left standing"

The only one huh? Where is the mention of Opera being hacked then?

Very misleading

Were they there? Does the company have to attend...googled it, they weren't in this competition.

Just out of curiosity, how exactly are they hacking windows or macs? Is it like buffer overruns, stack overflows, (i saw one that said execution on the heap, which sounds impossible but they said so) etc.? What else do they do? I am not really a machine level or OS level programmer so I would like a slightly higher level explanation. Anyone?

Jebadiah said,
Just out of curiosity, how exactly are they hacking windows or macs? Is it like buffer overruns, stack overflows, (i saw one that said execution on the heap, which sounds impossible but they said so) etc.? What else do they do? I am not really a machine level or OS level programmer so I would like a slightly higher level explanation. Anyone?

Physical access.

Blue602 said,

Physical access.


I thought the whole Pwn2Own program was about testing the browsers over the network - Intranet and/or Internet.

Edited by Jebadiah, Mar 25 2010, 3:29am :

Blue602 said,

Physical access.

then I don't get the point of this? if a physical access to the computer is necessary, then no access = no exploit? I too thought this was done over Intranet or Internet. Forcing the browser to execute malicious codes or whatever from the distance, not directly on the computer. I mean if you have access to the computer... what would be the point of using a browser? You have the damn computer wide open for you. What would a browser for?

What am I missing? Someone shed some light, please?

Edited by einsteinbqat, Mar 25 2010, 3:17am : typos

Jebadiah said,

I thought the whole Pwn2Own program was about testing the browsers over the network - Intranet and/or Internet.

They "fool" people into browsing to a website that contains malicious code...same thing they've all done for the past few years. Except it's hard to call it fooling, when they tell them where to go. So it's hacking, minus the whole social engineering aspect, which makes this rather irrelevant, unless a person spends their entire days on shady websites. Even then, most of these exploits will be patched soon enough.

Kookaburra said,
They "fool" people into browsing to a website that contains malicious code...same thing they've all done for the past few years. Except it's hard to call it fooling, when they tell them where to go. So it's hacking, minus the whole social engineering aspect, which makes this rather irrelevant, unless a person spends their entire days on shady websites. Even then, most of these exploits will be patched soon enough.

Yes, I understand that, but what exactly is the code on the website doing? Is the exploit inserting code into the browser's, say, Code segment to give access to the hacker somehow? It seems that such code would very long and would cause segmentation fault or something like that and crash the browser. I have only learned this *theoretically*, so I might be wrong, that you can't simply insert code into the code segment, especially in Protected Mode because the Intel CPU won't allow it. It seems that somehow they are executing code that is stored in the Heap or Data segments and executing it. I have also only learned this *theoretically* that you can't execute code in the Data Segment or the Heap. What is it that I am missing? I am not a security guy and I learned about this stuff in Computer Architecture class a long time ago, so help me out here because my information may be a bit old. LOL

Edited by Jebadiah, Mar 25 2010, 9:53am :

Kookaburra said,

They "fool" people into browsing to a website that contains malicious code...same thing they've all done for the past few years. Except it's hard to call it fooling, when they tell them where to go. So it's hacking, minus the whole social engineering aspect, which makes this rather irrelevant, unless a person spends their entire days on shady websites. Even then, most of these exploits will be patched soon enough.


Any remote exploits are serious, it doesn't take "days at shady sites" for that. It just takes a few exploits to become common, and a flaw in Facebook's ad partner network or something stupid like that.

Richard Herman said,
Fantastic news for Chrome, just re-emphasizes my (easy) choice of browser.

Chrome wasnt even attempted so that doesnt really mean its the best.

tablet_user said,

Chrome wasnt even attempted so that doesnt really mean its the best.

exactly, the author's comments are a bit misleading. pwn2Own is setup with pairings with each team given a draw. The fact is Miller and the others knew they had quick easy hacks that could gain them access and thus an easy victory if they went first. Why take the time to against something that is a bit harder to crack when like Miller you can be done and claim your prize in under a min??

tablet_user said,

Chrome wasnt even attempted so that doesnt really mean its the best.


the hacker said he has a vulnerability but he dont know how to hack it because of the security thing like OS protection,process isolation etc. so that it means it is the best. dont you think the hacker wouldnt have tried it just to get the $10000 price money?

Edited by still1, Mar 25 2010, 4:12am :

tablet_user said,

Chrome wasnt even attempted so that doesnt really mean its the best.

It means it's the most secure out of the browsers tested against, one of hackers themselves said that they know of a hack but cannot implement it due to the secure sandboxing nature of the browser. If they could have hacked it they would.

REM2000 said,

It means it's the most secure out of the browsers tested against, one of hackers themselves said that they know of a hack but cannot implement it due to the secure sandboxing nature of the browser. If they could have hacked it they would.


Yes, it's possible they didn't bother, which would be a major win for Chrome.

And it won last year's Pwn2Own contest too, I think it was only unhacked browser then as well.

Lechio said,
Except those who use Chrome/Opera + Linux.

Or Chrome + Windows. The hacker said it himself : it's vulnerable, but they can't make an exploit!

I actually use Chrome in Sandboxie (released on x64 finally YAY), with only rights to write to my Downloads folder and through a symbolic link.

So does this mean that Chrome is double sandboxed?

Sais Shishir Ks said,

I don't think exploits will be ever fixed completely.

So true. Even when they fix these either more will crop up elsewhere or they will just create new ones.

Lechio said,
Except those who use Chrome/Opera + Linux.

With Chrome, it’s a combination of things â€" you can’t execute on the heap, the OS protections in Windows and the Sandbox.

just pointing out for you

Raa said,

Or Chrome + Windows. The hacker said it himself : it's vulnerable, but they can't make an exploit!

Hehe, yeah, and that's the telltale of a sandbox that's working well, unlike the problem with IE 8's architecture that leads to issues despite also being sandboxed.

Edited by Northgrove, Mar 25 2010, 10:39am :

Avi said,
Holy crap... we're all screwed... :-)

no,IE7/8 users running vista/7 are fine, the sandbox has not been broken. We are still protected againts malware installation.

however, chrome users are not safe from flash player or adobe reader plugins flaws exploitation as these are not sandboxed on chrome (but they are on IE)

Edited by link8506, Mar 25 2010, 2:48pm :

shinji257 said,

So true. Even when they fix these either more will crop up elsewhere or they will just create new ones.

There will always be flaws in software, but with the proper layers of protection a flaw in a browser should be limited to effect that browser session, not the entire computer. You already see that with Chrome.

Lechio said,
Except those who use Chrome/Opera + Linux.

Maybe it didn't get hacked because no one wants to own a Linux machine.

Edited by brentaal, Mar 25 2010, 3:45pm :