Modernizing Authentication — What It Takes to Transform Secure Access
The Pwn2own hacking challenge claimed two more victims this week.
Apple's iPhone and Research in Motions BlackBerry were both successfully exploited by security researchers. The iPhone and BlackBerry join Microsoft's IE and Apple Safari as technologies that researchers were able to exploit. Google's Android and Chrome, as well as Mozilla's Firefox, all emerged unscathed.
The Pwn2own hacking challenge is run by HP TippingPoint and offers security researchers cash and prizes for showing security exploits in browsers and mobile platforms. The demonstrated flaws are then kept under wraps and provided to the affected vendor so that a patch can be built.
"Me and @dionthegod won pwn2own for iPhone, yippee," security researcher Charlie Miller tweeted. "Apple already has the vulnerability information and will patch soon."https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
Miller is no stranger to hacking the iPhone. Back in 2007, he first gained notoriety by disclosing the first public exploit of the iPhone at the Black Hat USA event that year. Miller has successfully hacked Apple's platforms at Pwn2own in the 2009 and 2010 events.
The BlackBerry was hacked by a team including security researcher Vincenzo Iozzo, who is also known in the community for his research into Apple security. Both the BlackBerry and the iPhone use WebKit as their underlying rendering engine.
"Major kudos to blackberry hackers who hacked it without a debugger or crashdumps. Amazing!," Miller tweeted.
While the iPhone and BlackBerry platforms were successfully hacked, Google's Android OS and Chrome Web browser were not.
Google had put a $20,000 reward on the Pwn2own table for any successfully Chrome exploit.
"I *love* pwn2own! Safari and IE8 were cracked on the first day, but not Chrome," Google engineer Matt Cutts wrote.
Google updated Chrome to version 10 earlier this week providing at least 25 security fixes.
Mozilla' Firefox Web browser also emerged safely from the Pwn2own 2011 event. Firefox wasn't as fortunate in the past two years as the browser was exploited in both 2009 and 2010s events. Mozilla issued a security update for Firefox ahead of the Pwn2own 2011 event which potentially mitigated possible exploits. Firefox 3.6.14 provided fixes for at least 10 security flaws.
Microsoft's IE 8 wasn't as fortunate and was successfully exploited on the first day of the event. It's not clear when Microsoft will provide a fix for the Pwn2own flaw. For its part, Microsoft is looking forward to its next major browser release, IE 9.
"We have confirmed that IE 9 RC is not affected by the vulnerability used in the Pwn2own contest," Microsoft Security Response tweeted. "IE 9 officially releases on Monday."
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.