Safari, IE8, & Firefox Hacked in Pwn2Own Contest

No less than three different browser platforms have succumbed to zero-day exploits by the end of the first day of the three-day long, third-annual Pwn2Own contest being held at the CanSecWest 2009 digital security conference in Vancouver, British Columbia. Safari on Mac OS X was the first to fall, followed by Internet Explorer 8 (IE8) on Windows 7, and then a second Mac OS X Safari exploit, and finally Firefox (the specific OS-version of Firefox was not supplied in the announcement). Making this even more impressive is that the first winner of the day, Charlie Miller, was the same guy who was the first winner in last year's contest; and the three additional exploits from day one were all cracked by the same person, who goes by the moniker, "Nils."

Not only was Miller the first contestant to produce a successful browser exploit, but he was also the first contestant of the day. There were so many contestants that the folks managing the contest picked the contestant order randomly from of a hat. Within two minutes of the official start of the contest, Miller had completed his Safari exploit. For his zero-day exploit of Safari, Miller won $5,000 and he will also get to keep the MacBook that was the target of the attack.

"Both winners Charlie Miller (left) and Nils (right)
receiving a round of applause from the crowd as
Aaron Portnoy from TippingPoint (middle) wraps
up day one of the judging."

(Credit: TippingPoint DVLabs)
The next winner was Nils, who also nabbed $5,000 for hacking IE8: "With a little tweaking, he ran a sleek exploit against IE8, defying Microsoft's latest built in protection technologies- DEP (Data Execution Prevention) as well as ASLR (Address Space Layout Randomization)." He also will get to keep the Sony Vaio laptop that the hacked IE8 was installed on. Nils, did not stop there, however. He then produced an exploit of Safari for another $5,000; and for a hat trick, he then hacked Firefox. By the end of day, Nils had won a total of $15,000.

There are still two days left to go with the Pwn2Own contest, and plenty time for more browser exploits. Perhaps Google Chrome will fall next? As each day passes with the three-day contest, the possible means by which exploits can be conducted get expanded. In other words, with each day of the contest, the hacking gets potentially "easier":

"Day 1: Default install no additional plugins. User goes to link.
Day 2: flash, java, .net, quicktime. User goes to link.
Day 3: popular apps such as acrobat reader ... User goes to link

What is owned? - code execution within context of application"

In addition to the browser exploit portion of the Pwn2Own contest, there is also a contest for hacking smartphones. The candidate phones are a Blackberry, Android, iPhone, Nokia/Symbian, and a Windows Mobile device. As of yet, no one has completed a successful exploit of one of the phones, but contestant, Julien Tinnes, showed a Java vulnerability that had "already been disclosed to the vendor," so it was not eligible for a prize. As with the browser competition, the smartphone hacking contest adds more hacking options each successive day of the contest. A phone is considered successfully exploited if the hacker can demonstrate "loss of information (user data)" or can "incur [a] financial cost."

"Day 1 (Raw functionality out of the box, users configured for service) post phone, post email
  • SMS
  • MMS
  • Email (arrival only)
  • wifi on if default
  • bluetooth on if default
  • Radio stack

Day 2
  • All of Day 1
  • Email/SMS/MMS (reading only - no secondary actions)
  • wifi on
  • bluetooth on (not accept pairing by default. Paired with a headset. pairing process not visible)

Day 3
  • All of Day 1 and 2
  • one level of user interaction with default applications
  • bluetooth on (not accept pairing by default. Paired with a headset/other devices upon request. pairing process visible)"

In order to collect their prizes, the winners must sign a non-disclosure agreement stating that they will not publicly disclose their exploits. TippingPoint then provides the exploited data directly to the affected vendors, so that the vendors can presumably patch the bugs.