Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

iPhone, IE, Firefox, Safari get stomped at hacker contest
The Register ^ | 25 March 2010 | Dan Goodin

Posted on 03/25/2010 10:42:55 AM PDT by ShadowAce

It was another grim day for internet security at the annual Pwn2Own hacker contest Wednesday, with Microsoft's Internet Explorer, Mozilla's Firefox and Apple's Safari and iPhone succumbing to exploits that allowed them to be remotely commandeered.

Like dominoes falling in rapid succession, the platforms were felled in the fourth year of the contest, which has come to underscore the alarming insecurity of most internet-facing software. To qualify for the big-money prizes, the exploits had to attack previously undocumented vulnerabilities to expose sensitive system data or allow the remote execution of malicious code.

The exploits were all the more impressive because they bypassed state-of-the-art security mitigations the software makers have spent years implementing in an attempt to harden their wares. That included DEP, or data execution prevention, and ASLR, or address space layout randomization and in the case of the iPhone, code signing to prevent unauthorized applications from running on the device.

"Code signing by Apple is tough, though I'm not sure if they do it for security or just to lock people into their platform," said Halvar Flake, a security researcher for Germany-based Zynamics. He compromised the iPhone using an exploit written by his colleague Vincenzo Iozzo. University of Luxemburg student Ralf-Philipp Weinmann was also instrumental in developing the attack.

The iPhone's code signing mechanism requires code loaded into memory to carry a valid digital signature before it can be executed. To get around it, the researchers used a technique known as return-oriented programming, which takes pieces of valid code and rearranges them to form the malicious payload.

As a result, the hackers were able to create a website that when visited by the Apple smartphone forced it to spill a copy of its SMS database. The file includes a list of contacts as well as complete copies of messages that have been sent and received. The database also contains deleted messages unless a user has gone through the trouble of manually erasing them.

The hacks came on day one of the contest, which offers a total of $100,000 in prizes and coincides with the CanSecWest conference in Vancouver. It comes three months after criminal hackers pierce the defenses of Google, Adobe and about 33 other large companies using similar vulnerabilities in an older version of IE. The relative ease contestants had in exploiting other platforms suggested that they are susceptible to the same types of attacks when there is the financial incentive to develop them.

DEP and ASLR, which Microsoft began implementing with the release of Service Pack 3 for Windows XP, didn't fare much better. Peter Vreugdenhil, a researcher with Netherlands-based Vreugdenhil Research, was able to hijack a laptop running IE 8 running on Windows 7, a combination widely considered by white hat hackers as among the hardest to compromise.

Unlike previous DEP- and ASLR-busting techniques, Vreugdenhil's exploit didn't use Adobe Flash, or any other third-party software to accomplish the feat. Rather, it relied on an information-disclosure exploit that allowed him to identify the memory location of a core module that was loaded by the Microsoft browser.

"I used that knowledge to create a DEP bypass by reusing code in that module to change the protection," he said a few minutes after causing Windows 7 to spontaneously open a calculator program. "The vulnerability that I found allowed me to lay out the heap exactly as I wanted to, which is not always possible."

A pdf with additional details of the IE 8 exploit is here.

Firefox running on Windows 7 was also smitten. The author of that exploit was Nils, the same hacker who successfully compromised machines running IE, Firefox and Safari at last year's Pwn2Own contest. As was the case then, he asked that his last name not be printed, but this time the 26-year-old said he is the head of research at MWR InfoSecurity, a security consultancy in Basingstoke, UK.

Microsoft researchers, who were present en masse at the contest, are investigating the report and will issue a patch if their findings warrant it, said Pete LePage, a senior product manager for IE. He said Microsoft isn't aware of attacks in the wild that target the vulnerability.

Safari was also part of the spoils, making this the third consecutive year contestant Charlie Miller has compromised the Apple browser. Miller, 36, who is principal security analyst at Independent Security Evaluators, said he came to this year's contest armed with close to 20 working attacks that in virtually every case allow him to seize control of the Mac running the program.

He said he found all of them using the same rudimentary, five-line script written in Python, raising the very legitimate question: If he can find them, why haven't people working on Apple's security team found them, too?

"Tomorrow, I'm going to describe exactly how I found them, so hopefully that means Apple will replicate what I did and they'll find my 20 [bugs] and probably a lot more," Miller said. "Hopefully, they'll keep doing that and improve their mechanisms of finding bugs as opposed to just slapping band-aids every time I send them email about what bug I have."

The iPhone hack fetched $15,000 and the browser exploits were awarded $10,000 each.

The genius of a contest like Pwn2Own is that it exposes the insecurity of software that rarely gets exploited by criminals. Plenty of Linux and Mac fans cite the absence of real-world exploits on those platforms as proof positive that they are inherently safer than the prevailing Microsoft operating system. It's an argument that carried little weight in Vancouver.

"The problem Microsoft has is they have a big market share, said Vreugdenhil, the hacker who attacked IE. "I use Opera, but that's basically because it has a tiny market share and as far as I know, nobody is really interested in creating a drive-by download for opera. The web at the moment is pretty scary, actually." ®


TOPICS: Computers/Internet
KEYWORDS: hacker; hax0rs; mozilla; pwn4g3
Navigation: use the links below to view more comments.
first previous 1-2021-4041 last
To: WinMod70
Isn’t computer hacking a criminal activity? I don’t recall seeing the results for the latest chop shop contest; safe cracking; most efficient meth lab contest; etc. Just saying.

If someone comes to you and says: "Here, see if you can hack my system". Then you're okay. It's only hacking systems you're not authorized to hack. To play the role of a "White Hat", you need to see what the black hats do, so you guard against it. The White hat will also play the role of a black hat to test his systems safeguards.

41 posted on 03/26/2010 10:29:02 AM PDT by AFreeBird
[ Post Reply | Private Reply | To 10 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson