The Pwn2Own contest has made light work of security features built into Firefox, Safari, and IE8 - plus Apple's iPhone.
The first day of the Pwn2Own contest at CanSecWest is over, and it's bad news for browsers - three of the most common web browsers have been successfully exploited.
The annual contest challenges hackers and security researchers to attack devices running fully up-to-date versions of the latest browsers and operating systems, with the first to breach a particular system receiving a cash prize along with the hardware used in the contest. As reported over on CNET
, it's been a busy day for the security community.
In day one of Pwn2Own 2010, security pro Charlie Miller was the first off the blocks with a successful remote attack against a MacBook Pro running the latest version of Apple's MacOS X - exploiting a hitherto unknown security vulnerability in the Safari browser to launch a remote shell and winning himself $10,000 plus the laptop for his trouble.
Next was Peter Vreugdenhil, who managed to bypass Windows security features including Data Execution Prevention code via Internet Explorer 8 to take over a PC - and again receiving $10,000 plus the hardware.
The browser-based trifecta was completed by a mysterious figure calling himself Nils - no last name - who received $10,000 for exposing a memory corruption flaw in the latest version of Mozilla's popular Firefox browser.
Perhaps the most surprising hack of the day came from Ralf Weinmann and Vincenzo Iozzo, who shared a $15,000 prize for exploiting an iPhone running the latest firmware in such a way that a simple visit to a malicious website can cause the handset to silently upload its entire SMS database to a remote server - giving ne'er-do-wells full access to all your private messages. The pair were keen to point out that although the version of the exploit used at Pwn2Own targetted SMS messages, the code can be tweaked to retrieve any data stored on the handset - including photos.
Details on all the exploits used at Pwn2Own this year will be shared by contest organiser TippingPoint with the relevant vendors, allowing patches to be developed to secure the holes.
Are you amazed that so many browser attacks were successful, or do you just feel sorry for Apple getting hit twice in one contest with MacOS X and iPhone penetrations? Share your thoughts over in the forums