The Pwn2Own contest at the annual CanSecWest conference in Vancouver, British Columbia has become something of a media event for security researchers, a chance for them to step out from behind glowing LCDs and demonstrate that some of the security threats they’ve hinted could impact everyday computer users are real—and pick up some cash money for their efforts. And this year, they did not disappoint: at the Pwn2Own contest, Apple’s iPhone and Safari fell first to security experts, followed in short order by Internet Explorer 8 and Firefox on Windows 7.
On the Macintosh, the star of Pwn2Own this year was again Charlie Miller of Independent Security Evaluators, who picked up the $10,000 top prize by demonstrating a takeover attack on Safari an Apple MacBook Pro that granted complete access to the machine without requiring any physical access—all the Safari user had to do was visit a Web site with malicious code. Miller won $10,000 n 2008 for breaking into a MacBook Air, and $5,000 last year by exploiting another security loophole in Apple’s Safari browser.
Dutch security researcher Peter Vreugdenhil also won $10,000 for a security exploit that bypassed security features in Microsoft’s Internet Explorer 8. A researcher from the UK’s MWR InfoSecurity named Nils—no last names, please—picked up another $10,000 for an exploit targeting Firefox on the the 64-bit version of Windows 7. Last year, Nils picked up $15,000 for a collection of exploits that targeted Firefox, Safari, and Internet Explorer 8.
Perhaops the star of the show, however, was Apple’s iPhone, which fell victim to Ralf Philipp Weinmann and Vincenzo Iozzo, of the University of Luxembourg and the German company Zynamics (respectively), who will share a $15,000 prize.
Researchers aren’t sharing the specifics of their attacks with the general public, in order to give browser and operating system developers a change to patch the loopholes. However, Miller’s attack on Safari is being described as so reliable that, in information security terms, it’s “weaponized.” Vreugdenhil’s attack on IE8 was a four-part process that exploited two separate vulnerabilities; as with Miller’s Safari attack, it launched from a user connecting to a Web site containing malicious code. Nils’ attack on Firefox exploited a memory corruption bug.
Weinmann and Iozzo’s attack on the iPhone also involved visiting a site bearing malicious code; the technique bypassed the iPhone’s code-signing requirement and could be used to access an iPhone’s SMS database, contacts, photos, or other data.
The Pwn2Own contest is sponsored by TippingPoint’s Zero Day Initiative.
As of the start of the second day of the Pwn2Own contest, Google’s Chrome 4 remains the only browser left standing…but that’s probably because it wasn’t tested at all on the first day.