Safari, IE8, & Firefox Hacked in Pwn2Own Contest

rated by 0 users
This post has 9 Replies | 1 Follower

Top 10 Contributor
Posts 26,149
Points 1,185,130
Joined: Sep 2007
News Posted: Thu, Mar 19 2009 11:24 AM

No less than three different browser platforms have succumbed to zero-day exploits by the end of the first day of the three-day long, third-annual Pwn2Own contest being held at the CanSecWest 2009, digital security conference in Vancouver, British Columbia. Safari on Mac OS X was the first to fall, followed by Internet Explorer 8 (IE8) on Windows 7, and then a second Mac OS X Safari exploit, and finally Firefox (the OS version of Firefox was not supplied in the announcement). Making this even more impressive is that the first winner of the day, Charlie Miller, was the same guy who was the first winner in last year's contest; and the three additional exploits from day one were all cracked by the same person, who goes by the name, "Nils."

Not only was Miller the first contestant to produce a successful browser exploit, but he was also the first contestant of the day. There were so many contestants that the folks managing the contest picked the contestant order randomly from of a hat. Within two minutes of the official start of the contest, Miller had completed his Safari exploit. For his zero-day exploit of Safari, Miller won $5,000 and he will also get to keep the MacBook that was the target of the attack.

"Both winners Charlie Miller (left) and Nils (right) receiving
a round
of applause from the crowd as Aaron Portnoy
from TippingPoint (middle)
wraps up day one of the judging."

(Credit: TippingPoint DVLabs)

The next winner was Nils, who also nabbed $5,000 for hacking IE8: "With a little tweaking, he ran a sleek exploit against IE8, defying Microsoft's latest built in protection technologies- DEP (Data Execution Prevention) as well as ASLR (Address Space Layout Randomization)." He also will get to keep the Sony Vaio laptop that the hacked IE8 was installed on. Nils, did not stop there, however. He then produced an exploit of Safari for another $5,000; and for a hat trick, he then hacked Firefox. By the end of day, Nils had won a total of $15,000.

There are still two days left to go with the Pwn2Own contest, and plenty time for more browser exploits. Perhaps Google Chrome is next? As each day passes with the contest, the possible means by which exploits can be conducted get expanded. In other words, with each day of the contest, the hacking gets potentially "easier":

Day 1: Default install no additional plugins. User goes to link.
Day 2: flash, java, .net, quicktime. User goes to link.
Day 3: popular apps such as acrobat reader ... User goes to link

What is owned? - code execution within context of application

In addition to the browser exploit portion of the Pwn2Own contest, there is also a contest for hacking smartphones. The candidate phones are a Blackberry, Android, iPhone, Nokia/Symbian, and a Windows Mobile device. As of yet, no one has completed a successful exploit of one of the phones, but contestant, Julien Tinnes, showed a Java vulnerability that had "already been disclosed to the vendor," so it was not eligible for a prize. As with the browser competition, the smartphone hacking contest adds more hacking options each day of the contest. A phone is considered successfully exploited if the hacker can demonstrate "loss of information (user data)" or can "incur financial cost."

Day 1 (Raw functionality out of the box, users configured for service) post phone, post email
  • SMS
  • MMS
  • Email (arrival only)
  • wifi on if default
  • bluetooth on if default
  • Radio stack

Day 2
  • All of Day 1
  • Email/SMS/MMS (reading only - no secondary actions)
  • wifi on
  • bluetooth on (not accept pairing by default. Paired with a headset. pairing process not visible)

Day 3
  • All of Day 1 and 2
  • one level of user interaction with default applications
  • bluetooth on (not accept pairing by default. Paired with a headset/other devices upon request. pairing process visible)

On order to collect their prizes, the winners must sign a non-disclosure agreement stating that they will not publicly disclose their exploits. TippingPoint then provides the exploit data directly to the affected vendors.

  • | Post Points: 95
Top 50 Contributor
Posts 2,617
Points 32,625
Joined: Oct 2005
Location: Minnesota, United States
ice91785 replied on Thu, Mar 19 2009 12:08 PM

I would have no idea where to start....I would just probably log-in and start surfing the web; hope for the best.

Sounds quite lucrative however

  • | Post Points: 5
Top 25 Contributor
Posts 3,475
Points 47,060
Joined: Nov 2005
Location: Metropolis

This all makes me wonder what the 'contestants' do for a living.

 SPAM-posters beware! ®

  • | Post Points: 35
Not Ranked
Posts 72
Points 660
Joined: Feb 2009
Location: CT
Oblio211 replied on Thu, Mar 19 2009 2:08 PM

"This all makes me wonder what the 'contestants' do for a living."

They work at Hot Hardware!!! LOL

  • | Post Points: 5
Top 50 Contributor
Posts 2,359
Points 48,655
Joined: Apr 2000
Location: United States, Connecticut
Marco C replied on Thu, Mar 19 2009 2:40 PM

Yeah right! I wish I had those skills...

Marco Chiappetta
Managing Editor @

Follow Marco on Twitter

  • | Post Points: 5
Top 50 Contributor
Posts 2,617
Points 32,625
Joined: Oct 2005
Location: Minnesota, United States
ice91785 replied on Thu, Mar 19 2009 7:30 PM

I wonder if they "prepped" themselves for the contest by sitting at home and trying to find vulnerabilities...they'd then be prepped for a few at the contest start yet?

I too wonder how they pass the time when they aren't "on the job"

  • | Post Points: 5
Top 75 Contributor
Posts 2,048
Points 29,300
Joined: Aug 2004
Location: United States, Michigan
kid007 replied on Thu, Mar 19 2009 9:24 PM

best way to get some quick cash "legally"

MacBook Pro 13.3" LED-Backlit Glossy, Intel "Penryn" Core 2 Duo T8700 - 2.53G, 8GB DDR3 1066, NVIDIA GForce 9400M 1280X800

HTPC 4G DDR3 XMS Corsair, Intel i5-750 Quad Core, 6ft HDMI Cable by Rosewill, AverMedia Tv Card, Gigabyte P55M-UD2,  Sapphire ATI Radeon HD 5770 with Vapor X Cooling, 500 HD Maxtor 7200 2.5 HDD, Asus Blu-Ray Optical Drive, 46" LED Toshiba TV


  • | Post Points: 5
Top 10 Contributor
Posts 5,053
Points 60,715
Joined: May 2008
Location: U.S.
3vi1 replied on Sat, Mar 28 2009 11:49 AM

And the open source browser is the first one fixed, as per usual:

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?


  • Filed under:
  • | Post Points: 5
Top 50 Contributor
Posts 2,913
Points 24,635
Joined: Jul 2001
Location: United States, New York
digitaldd replied on Mon, Mar 30 2009 11:34 AM

Super Dave:

This all makes me wonder what the 'contestants' do for a living.



I've heard one of the winners speak at a computer security conference, he's employed as a Penetration Tester [get your mind out of the gutter] @ a large security consulting firm.


  • | Post Points: 20
Top 500 Contributor
Posts 136
Points 1,435
Joined: Apr 2009
Location: Toronto, Ontario

Chrome lasted wow, good job.

χƒιяє: yodagunit1

  • | Post Points: 5
Page 1 of 1 (10 items) | RSS