Skip to main content
  1. Home
  2. Mobile

Pwn2Own: Safari, iPhone, IE, and Firefox All Fall

Geoff Duncan
By
Image used with permission by copyright holder

The Pwn2Own contest at the annual CanSecWest conference in Vancouver, British Columbia has become something of a media event for security researchers, a chance for them to step out from behind glowing LCDs and demonstrate that some of the security threats they’ve hinted could impact everyday computer users are real—and pick up some cash money for their efforts. And this year, they did not disappoint: at the Pwn2Own contest, Apple’s iPhone and Safari fell first to security experts, followed in short order by Internet Explorer 8 and Firefox on Windows 7.

On the Macintosh, the star of Pwn2Own this year was again Charlie Miller of Independent Security Evaluators, who picked up the $10,000 top prize by demonstrating a takeover attack on Safari an Apple MacBook Pro that granted complete access to the machine without requiring any physical access—all the Safari user had to do was visit a Web site with malicious code. Miller won $10,000 n 2008 for breaking into a MacBook Air, and $5,000 last year by exploiting another security loophole in Apple’s Safari browser.

Recommended Videos

Dutch security researcher Peter Vreugdenhil also won $10,000 for a security exploit that bypassed security features in Microsoft’s Internet Explorer 8. A researcher from the UK’s MWR InfoSecurity named Nils—no last names, please—picked up another $10,000 for an exploit targeting Firefox on the the 64-bit version of Windows 7. Last year, Nils picked up $15,000 for a collection of exploits that targeted Firefox, Safari, and Internet Explorer 8.

Related

Perhaops the star of the show, however, was Apple’s iPhone, which fell victim to Ralf Philipp Weinmann and Vincenzo Iozzo, of the University of Luxembourg and the German company Zynamics (respectively), who will share a $15,000 prize.

Researchers aren’t sharing the specifics of their attacks with the general public, in order to give browser and operating system developers a change to patch the loopholes. However, Miller’s attack on Safari is being described as so reliable that, in information security terms, it’s “weaponized.” Vreugdenhil’s attack on IE8 was a four-part process that exploited two separate vulnerabilities; as with Miller’s Safari attack, it launched from a user connecting to a Web site containing malicious code. Nils’ attack on Firefox exploited a memory corruption bug.

Weinmann and Iozzo’s attack on the iPhone also involved visiting a site bearing malicious code; the technique bypassed the iPhone’s code-signing requirement and could be used to access an iPhone’s SMS database, contacts, photos, or other data.

The Pwn2Own contest is sponsored by TippingPoint’s Zero Day Initiative.

As of the start of the second day of the Pwn2Own contest, Google’s Chrome 4 remains the only browser left standing…but that’s probably because it wasn’t tested at all on the first day.

Editors' Recommendations

Topics
Geoff Duncan
Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
How to stop spam texts on iPhone and Android phones
iPhone showing a spam text with the Report Junk option.

Everyone from legitimate marketers to outright scammers wants to get your attention these days. With a mobile phone in nearly every pocket, many of these have turned to SMS text messages as a way to extend their reach. After all, it's a fast means of communication that's much more likely to be noticed than traditional email messages. Plus, there aren't nearly as many spam filtering solutions available for dealing with text messages, making them ripe for abuse. Here, we explore your options for reducing spam, depending on your phone type.

Read more
How to record phone calls on your iPhone quickly and easily
A person using a smartphone.

Text messages and email are two of the most common ways we use our smartphones to communicate, but one shouldn’t forget that these fancy gadgets can still ring a friend or family member. An audible one-on-one conversation may be falling out of style, but it’s still one of the fastest ways to exchange a lot of information.

Fortunately, you can also record phone calls for future reference, although you’re a bit up-the-creek if you’re rocking an iPhone. For years now, iOS devices haven’t featured any type of built-in recording tool for phone calls — not even the iPhone 15, iPhone 15 Pro, or iPhone 15 Pro Max. That being said, there are a few workarounds.

Read more
How to find downloaded files on an iPhone or Android phone
Download folder

Believe it or not, finding files you’ve downloaded on your iPhone or Android phone can be tougher than you think. Even the best smartphones can quickly become a handheld electronic briefcase. Along with the apps you need to get you through your day, it’s packed with photos, videos, files, and other media. While it’s all too easy to download a photo or a restaurant menu to your mobile device, when it comes to actually finding where downloads reside on your phone, the opposite is true. It can be difficult to find a particular file amid heaps of other folders.

Read more