Skip to comments.iPhone, IE, Firefox, Safari get stomped at hacker contest
Posted on 03/25/2010 10:42:55 AM PDT by ShadowAce
It was another grim day for internet security at the annual Pwn2Own hacker contest Wednesday, with Microsoft's Internet Explorer, Mozilla's Firefox and Apple's Safari and iPhone succumbing to exploits that allowed them to be remotely commandeered.
Like dominoes falling in rapid succession, the platforms were felled in the fourth year of the contest, which has come to underscore the alarming insecurity of most internet-facing software. To qualify for the big-money prizes, the exploits had to attack previously undocumented vulnerabilities to expose sensitive system data or allow the remote execution of malicious code.
The exploits were all the more impressive because they bypassed state-of-the-art security mitigations the software makers have spent years implementing in an attempt to harden their wares. That included DEP, or data execution prevention, and ASLR, or address space layout randomization and in the case of the iPhone, code signing to prevent unauthorized applications from running on the device.
"Code signing by Apple is tough, though I'm not sure if they do it for security or just to lock people into their platform," said Halvar Flake, a security researcher for Germany-based Zynamics. He compromised the iPhone using an exploit written by his colleague Vincenzo Iozzo. University of Luxemburg student Ralf-Philipp Weinmann was also instrumental in developing the attack.
The iPhone's code signing mechanism requires code loaded into memory to carry a valid digital signature before it can be executed. To get around it, the researchers used a technique known as return-oriented programming, which takes pieces of valid code and rearranges them to form the malicious payload.
As a result, the hackers were able to create a website that when visited by the Apple smartphone forced it to spill a copy of its SMS database. The file includes a list of contacts as well as complete copies of messages that have been sent and received. The database also contains deleted messages unless a user has gone through the trouble of manually erasing them.
The hacks came on day one of the contest, which offers a total of $100,000 in prizes and coincides with the CanSecWest conference in Vancouver. It comes three months after criminal hackers pierce the defenses of Google, Adobe and about 33 other large companies using similar vulnerabilities in an older version of IE. The relative ease contestants had in exploiting other platforms suggested that they are susceptible to the same types of attacks when there is the financial incentive to develop them.
DEP and ASLR, which Microsoft began implementing with the release of Service Pack 3 for Windows XP, didn't fare much better. Peter Vreugdenhil, a researcher with Netherlands-based Vreugdenhil Research, was able to hijack a laptop running IE 8 running on Windows 7, a combination widely considered by white hat hackers as among the hardest to compromise.
Unlike previous DEP- and ASLR-busting techniques, Vreugdenhil's exploit didn't use Adobe Flash, or any other third-party software to accomplish the feat. Rather, it relied on an information-disclosure exploit that allowed him to identify the memory location of a core module that was loaded by the Microsoft browser.
"I used that knowledge to create a DEP bypass by reusing code in that module to change the protection," he said a few minutes after causing Windows 7 to spontaneously open a calculator program. "The vulnerability that I found allowed me to lay out the heap exactly as I wanted to, which is not always possible."
A pdf with additional details of the IE 8 exploit is here.
Firefox running on Windows 7 was also smitten. The author of that exploit was Nils, the same hacker who successfully compromised machines running IE, Firefox and Safari at last year's Pwn2Own contest. As was the case then, he asked that his last name not be printed, but this time the 26-year-old said he is the head of research at MWR InfoSecurity, a security consultancy in Basingstoke, UK.
Microsoft researchers, who were present en masse at the contest, are investigating the report and will issue a patch if their findings warrant it, said Pete LePage, a senior product manager for IE. He said Microsoft isn't aware of attacks in the wild that target the vulnerability.
Safari was also part of the spoils, making this the third consecutive year contestant Charlie Miller has compromised the Apple browser. Miller, 36, who is principal security analyst at Independent Security Evaluators, said he came to this year's contest armed with close to 20 working attacks that in virtually every case allow him to seize control of the Mac running the program.
He said he found all of them using the same rudimentary, five-line script written in Python, raising the very legitimate question: If he can find them, why haven't people working on Apple's security team found them, too?
"Tomorrow, I'm going to describe exactly how I found them, so hopefully that means Apple will replicate what I did and they'll find my 20 [bugs] and probably a lot more," Miller said. "Hopefully, they'll keep doing that and improve their mechanisms of finding bugs as opposed to just slapping band-aids every time I send them email about what bug I have."
The iPhone hack fetched $15,000 and the browser exploits were awarded $10,000 each.
The genius of a contest like Pwn2Own is that it exposes the insecurity of software that rarely gets exploited by criminals. Plenty of Linux and Mac fans cite the absence of real-world exploits on those platforms as proof positive that they are inherently safer than the prevailing Microsoft operating system. It's an argument that carried little weight in Vancouver.
"The problem Microsoft has is they have a big market share, said Vreugdenhil, the hacker who attacked IE. "I use Opera, but that's basically because it has a tiny market share and as far as I know, nobody is really interested in creating a drive-by download for opera. The web at the moment is pretty scary, actually." ®
In China, every day is Pwn2Own Hacker Contest Day.
Hackers should be shot. That’s a “fire wall” I’d support.
Those issues have always been there, it's just that almost no one cared.
If you have information of value to someone, they will probably be able to get it if they try hard enough.
You'll smoke a turd in hell for that buddy....!!!!
Yes but I like this contest. This is designed to help the end user have a better product.
Exactly. The more this is published, and the more products involved, the better we all are.
Isn’t computer hacking a criminal activity? I don’t recall seeing the results for the latest chop shop contest; safe cracking; most efficient meth lab contest; etc. Just saying.
I also use Opera. Firefox has better features, but Opera is more secure and stable.
The practice leading up to the contest is what worries me.
Hacking in and of itself isn’t illegal, it’s hacking into computers that you don’t have permission to access and are not yours is the illegal part.
Walking on your own property isn’t trespassing, walking on some one’s property without permission is.
WHY WERE THESE INDIVIDUALS NOT ALL ARRESTED? A convention of criminals, and no one paid attention? Oh, I see; it’s Canada. Thanks, Hosers!
Take a deep breath...
Many of those “hackers” work for global security firms, it’s their job to find exploits.
And as for the students, it’s basically the same thing, they work to find and expose exploits to force the company that made the software to tighten it’s security.
It’s people like them that help to find and fix security holes, they’re referred to as “White Hat Hackers”, they’re the good guys.
Because they didn’t launch any attacks on other people’s systems. They developed the exploits on their own time and their own dime, and merely showcased them at this event in an effort to win a prize.
Charlie Miller, who attacks OS X for his prize money, used to be an NSA employee.
There’s nothing illegal about hacking your own computer, or a computer offered up openly for hacking. They’re only breaking the law if they hack a computer against the owner’s wishes. You can bust the software on your own machine all you want.
“Computer hacking” is criminal only when you attack other people’s systems with the exploit.
Developing an exploit on your own systems is not a criminal activity, and if it were, then a whole lot of software developers would end up being shuffled off to jail, because the sort of testing these people engage in is routinely used by software developers who want to make a robust product.
Those software developers wishing to make a robust product, unfortunately, don’t work for major software or hardware vendors, because middle management can’t see the profit margin in closing vulnerabilities unless the vulnerability has been exploited “in the wild.”
Deep breath taken- thanks!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.