Browser vendors have been put on alert this week as security researchers at the Pwn2own competition at the CanSecWest conference in Vancouver successfully exploited Microsoft Internet Explorer 8, Safari, and Firefox. On the mobile side, an iPhone was shown to be exploitable, too.
The Pwn2own event tests fully patched versions of software for vulnerabilities and then rewards researchers with prize money if they're able to demonstrate an exploit. Among the first browsers to fall was Microsoft's Internet Explorer 8 running on Windows 7.
Security researcher Peter Vreugdenhil was able to demonstrate an attack that got around Microsoft's security protections in Windows 7 in order to exploit IE 8. As part of the rules for the Pwn2own event, researchers must keep the specific details of their exploit private so that the contest organizers can hand over the exploit info to the affected vendor.
Vreugdenhil, however, has posted a paper explaining in general terms how he was able to bypass Windows 7 security and exploit IE 8. He noted that he used a two-part exploit in the interest of time, but a one-step exploit might also have been possible.
"I will not (and am not allowed to) give out the exact vulnerabilities that I used in the exploit, but I might disclose them someday when Microsoft has them patched," Vreugdenhil wrote. "Yes, you read that correctly -- them. I used two exploits to get the final code execution on [Windows 7], but that was partly to speed up the exploit."
One of the key aspects of Vreugdenhil's exploit involves getting around Microsoft's DEP (Data Execution Prevention) mechanism, which is intended to provide unauthorized code from running.
"The first part figures out where a certain .DLL file is loaded in the current process, followed by step two that uses the information gathered in step one to trigger an exploit that uses some ret2lib technique to disable DEP for our shellcode and then redirects the program flow to the shellcode," Vreugdenhil stated.
Vreugdenhil is not the first Pwn2own winner to attack IE8 by way of DEP. In last year's Pwn2own event, a security researcher known only as "Nils" was able to exploit IE 8 by way of a different DEP-bypass approach. (Nils also went on to expose vulnerabilities in all three browsers during the 2009 contest.)
Initially, Microsoft denied that Nils' exploit could affect the production version of IE 8, but the software giant evidently changed its mind a few months later when Microsoft decided to issue a patch for the vulnerability.
This year, though Nils hadn't been the first to exploit IE 8, he was the first to take down Mozilla Firefox and was also able to exploit Apple Safari, despite the fact that both Apple and Mozilla patched their respective browsers ahead of the Pwn2own contest.
On the mobile side, Apple's iPhone was shown to be exploitable by Vincenzo Iozzo and Ralf Philipp Weinmann. Iozzo is no stranger to publicly demonstrating and talking about hacking iPhones at security events including Black Hat. The researchers exploited the fully patched, non-jailbroken iPhone by way of its Safari Web browser.
"They exploited a zero-day Safari vulnerability with a payload which retrieved the text messages from the device," Aaron Portnoy, TippingPoint Security's research team lead, wrote in a blog post highlighting the security contest's results.