Jump to content

Pwn2Own 2011: It Takes 3 Holes to Hack IE8, just 1 for Safari


Recommended Posts

Safari 5 is the first browser victim of this year’s Pwn2Own hacking contest at CanSecWest, with Internet Explorer 8 being the second one to fall.

Security researchers from French security outfit VUPEN took a swing at Safari 5 on a fully patched Mac OS X Snow Leopard (64-bit) copy running on a MacBook.

Exploiting just a single zero-day vulnerability in Safari, the VUPEN researchers took Apple’s browser down in just five seconds, walking away with no less than $15,000 and the Apple MacBook Air 13″, according to Zero Day.

VUPEN co-founder Chaouki Bekrar explained that just by using simple fuzzing techniques a variety of issues can be discovered rather easily in WebKit, the engine at the core of Safari.

Taking advantage of the flaws in attacks is somewhat difficult because exploiting vulnerabilities on x64 Mac OS X is an uncharted territory, but as VUPEN proved, not impossible.

The 0-day flaw they discovered allows for drive-by attacks, which means that a user needs to simply visit a malformed webpage to get owned, without any additional interaction required.

It appears that the attack on Internet Explorer 8 was more complicated. First off, the security researcher Stephen Fewer needed no less than three vulnerabilities to bypass all the security mitigations set in place by Microsoft.

Fewer told Zero Day that without linking the vulnerabilities, the attack would have not been successful.

He hacked IE8 on 64-bit Windows 7 (SP1) by using two security holes to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), key security mitigations on which IE8 relies on.

The third vulnerability was used in order to circumvent yet another layer of security for IE8, namely Protect Mode, part of the user Account Control (UAC) mitigation.

Fewer confessed that the hardest part of the attack was writing the bypass for IE8 Protect Mode, which involved inventing a completely new way to circumvent the protection.

Also, the attack involved a victim visiting a malicious web page, but also clicking on a link in order to launch the exploits.

Source: Softpedia

Staff Note: Moved to Security and Privacy News. :)

Link to comment
Share on other sites

  • Replies 0
  • Views 1.2k
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...