Skip to main content

Pwn2Own: Safari, iPhone, IE, and Firefox All Fall

Image used with permission by copyright holder

The Pwn2Own contest at the annual CanSecWest conference in Vancouver, British Columbia has become something of a media event for security researchers, a chance for them to step out from behind glowing LCDs and demonstrate that some of the security threats they’ve hinted could impact everyday computer users are real—and pick up some cash money for their efforts. And this year, they did not disappoint: at the Pwn2Own contest, Apple’s iPhone and Safari fell first to security experts, followed in short order by Internet Explorer 8 and Firefox on Windows 7.

On the Macintosh, the star of Pwn2Own this year was again Charlie Miller of Independent Security Evaluators, who picked up the $10,000 top prize by demonstrating a takeover attack on Safari an Apple MacBook Pro that granted complete access to the machine without requiring any physical access—all the Safari user had to do was visit a Web site with malicious code. Miller won $10,000 n 2008 for breaking into a MacBook Air, and $5,000 last year by exploiting another security loophole in Apple’s Safari browser.

Dutch security researcher Peter Vreugdenhil also won $10,000 for a security exploit that bypassed security features in Microsoft’s Internet Explorer 8. A researcher from the UK’s MWR InfoSecurity named Nils—no last names, please—picked up another $10,000 for an exploit targeting Firefox on the the 64-bit version of Windows 7. Last year, Nils picked up $15,000 for a collection of exploits that targeted Firefox, Safari, and Internet Explorer 8.

Perhaops the star of the show, however, was Apple’s iPhone, which fell victim to Ralf Philipp Weinmann and Vincenzo Iozzo, of the University of Luxembourg and the German company Zynamics (respectively), who will share a $15,000 prize.

Researchers aren’t sharing the specifics of their attacks with the general public, in order to give browser and operating system developers a change to patch the loopholes. However, Miller’s attack on Safari is being described as so reliable that, in information security terms, it’s “weaponized.” Vreugdenhil’s attack on IE8 was a four-part process that exploited two separate vulnerabilities; as with Miller’s Safari attack, it launched from a user connecting to a Web site containing malicious code. Nils’ attack on Firefox exploited a memory corruption bug.

Weinmann and Iozzo’s attack on the iPhone also involved visiting a site bearing malicious code; the technique bypassed the iPhone’s code-signing requirement and could be used to access an iPhone’s SMS database, contacts, photos, or other data.

The Pwn2Own contest is sponsored by TippingPoint’s Zero Day Initiative.

As of the start of the second day of the Pwn2Own contest, Google’s Chrome 4 remains the only browser left standing…but that’s probably because it wasn’t tested at all on the first day.

Editors' Recommendations

Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
How to find downloaded files on an iPhone or Android phone
Download folder

Believe it or not, finding files you’ve downloaded on your iPhone or Android phone can be tougher than you think. Even the best smartphones can quickly become a handheld electronic briefcase. Along with the apps you need to get you through your day, it’s packed with photos, videos, files, and other media. While it’s all too easy to download a photo or a restaurant menu to your mobile device, when it comes to actually finding where downloads reside on your phone, the opposite is true. It can be difficult to find a particular file amid heaps of other folders.

Read more
Don’t buy a Galaxy S24 Ultra or iPhone 15 Pro Max. Do this instead
Samsung Galaxy S23 FE Mint Green color along with a Samsung notebook and a cermaic bowl with lemons.

“Do I need all that?” That’s the question on the mind of shoppers before they splurge a now-standard $1,000 asking price for a top-tier phone in 2024. Ideally, that dilemma should be there. The likes of Samsung Galaxy S24 Ultra and Apple’s iPhone 15 Pro Max have won laurels for a handful of standout features they offer. But you might not need those standout features at all.

I’ve been on that road, and more frequently than I have the temerity to admit. For some reason, regret comes as part of the $1,200 flagship parcel. That's unless your phone is a part of your creative or work process, or you just don’t care and only want the latest and greatest for the vanity of it. A segment like that certainly exists, but that affluent user base doesn’t dictate the journey of a product.

Read more
How to connect your iPhone or iPad to a Samsung TV
A beach scene on a Samsung S95C OLED TV.

Casting content from the tiny screen of your smartphone to a big, beautiful TV makes for a much better experience for viewing photos and watching videos. You can mirror whatever is on the screen of your handheld device. With Apple's AirPlay system, casting audio and video from your iOS device couldn't be more streamlined — especially for Apple ecosystem devotees. But did you know that you can also use AirPlay 2 with an assortment of compatible smart TVs?

Read more