Pwn2Own: IE8, Safari, and Firefox all hacked on Day One; Only Chrome Left Standing

[bonsai]

As reported by Engadget:

That didn't take long. One day into the Pwn2Own hacking competition at CanSecWest and already Apple, Microsoft, and Mozilla have been sent packing to their respective labs to work on security issues in their browsers. In a repeat performance, Charlie Miller pocketed a $5,000 cash prize and a fully-patched MacBook by splitting it wide, and gaining full control of the device after a user clicked on his malicious link. Another white-hatter by the name Nils (pictured) toppled Internet Explorer 8 running on a Windows 7 laptop -- again, the five grand and compromised VAIO P laptop are now his to keep as compensation for turning over the malicious code. So much for "protection that no other browser can match," eh Mr. Ballmer? Nils then demonstrated a second Safari exploit before hacking Firefox later in the afternoon netting him a cool $15k by the close of day one. Only Google's Chrome was left unscathed -- Opera isn't part of the contest. This year's contest will also offer a $10,000 prize for every vulnerability successfully exploited in Windows Mobile, Android, Symbian, and the iPhone and BlackBerry OSes. In other words: this contest that runs through Friday isn't over by any stretch.

http://www.engadget.com/2009/03/19/the-pwn2own-trifecta-safari-ie-8-and-firefox-exploited-on-day/

 

[Michaelius]

Hmm why was Opera not checked ?

Anyway I'm not installing more google/apple spyware so I'll stick to Opera and fox

 

[Jon55]

I'm not installing more google/apple spyware

 

[Vermillion]

Interesting. Joe Average had posted info about this in another forum by accident as well.

But I didn't know Chrome was still standing. Interesting. Very interesting.

Not quite sure why they used Windows 7 Beta though especially with knowledge about the UAC escaltion problem that has been corrected in later builds. Sounds like it would have made it a bit to easy to get around the OS if it was a normal vanilla install. Did they say what build of 7 was used?

Like I said in Joe's thread though I would like to know if those exploits againt IE8 and Firefox would have worked if things like IE7Pro, NoScript and ABP were installed.

Definitely interesting about Chrome though. Now if we would just get the add-ons we want for it I may actually consider moving to it over Firefox...

 

[griffinhart]

Interesting that they chose to use a Beta OS and Browser. I wish the site gave a little more information though. What Version of Win7 were they using? What version of the Browser? If they were using the public beta of Win7 then were they using the Pre RC-1 version of IE8?

The Chrome thing was kind of puzzling too. I understood that Chrome and Safari used the same Engine. Wouldn't the same exploits that worked under Safari work here? Given that the contest dictates that the same exploit can't be used twice does it mean that the Safari Exploit doesn't work on Chrome or is it that it wasn't used due to the contest rules? If I remember right, last years winning hack that took down OSX supposedly would be able to work in Linux but they didn't try due to the rules.


Hopefully there will be more info on all this stuff soon.

 

[Michaelius]

You can roll eyes but google is collecting enough data on us without help of their browser and safari tries everything it can to install apple software I don't want.

So no thx

 

[k1pp3r]

You can roll eyes but google is collecting enough data on us without help of their browser and safari tries everything it can to install apple software I don't want.

So no thx

I'm with Him,

Also, what ever happened to Chrome cache personal information in clear text? I never followed up on that issue, and can you consider that a security breach if exploited?

 

[forkedt]

I'd be willing to bet it wasn't so much Chrome withstood his attacks, as much as he probably didnt bother with it for some reason or another (like the others were just easier). I doubt chrome is really "superior" so much as just more cumbersome to make the attempt. A plus perhaps, but nothing to rock the world.

 

[carnag3]

I'd be willing to bet it wasn't so much Chrome withstood his attacks, as much as he probably didnt bother with it for some reason or another (like the others were just easier). I doubt chrome is really "superior" so much as just more cumbersome to make the attempt. A plus perhaps, but nothing to rock the world.

yer i tend to agree, maybe more prestige is associated with firefox etc.. that and chrome hasnt been around long :S

 

[Hypernova]

What was W7's UAC level during that hack? If it was in full lock down I doubt it could have been compromised.

 

[rampantandroid]

The tested on a beta browser and OS...this article means jack-fucking-shit, other than the other is an idiot.

 

[Void]

The tested on a beta browser and OS...this article means jack-fucking-shit, other than the other is an idiot.

I agree. It really wasn't fair of them to be using a beta operating system and browser for this.

 

[bonsai]

If they used IE7 and Vista people still would have bitched, they would say they weren't using IE8 and Win7, claiming they're "more secure".

Do you think the outcome would have been any different if Vista and IE7 were used? They were hacked last year just as easily.

 

[Imaulle]

since chrome is opensource you'd think it would be the first owned right?

 

[bigdogchris]

I don't have a problem with good companies going somewhere and becoming huge. Google and Apple do push their software on users though. I shouldn't have to deselect to not install something. Hell, with Apple, you choose not to install the Updater Software and you get it anyways!

 

[bonsai]

Here's a good interview with the guy who hacked Safari explaining his browser choice for attack, and talking about which browsers and OSes are more secure and why: http://blogs.zdnet.com/security/?p=2941

Highlights:

Why Safari? Why didn’t you go after IE or Safari?

It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

For all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There’s nothing in the Mac operating system that will stop you..

Google Chrome was the one target left standing. Surprised?

There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. The’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.

 

[Vermillion]

If they used IE7 and Vista people still would have bitched, they would say they weren't using IE8 and Win7, claiming they're "more secure".

Do you think the outcome would have been any different if Vista and IE7 were used? They were hacked last year just as easily.

Most likely yes but we also know that Windows 7 Beta Build 7000 has some major defects especially surrounding UAC especially if it's a vanilla install and UAC hasn't been maxed out. If it's a later build of Windows 7 then I really don't have any complaints but Build 7000 shouldn't have been used.

Here's a good interview with the guy who hacked Safari explaining his browser choice for attack, and talking about which browsers and OSes are more secure and why: http://blogs.zdnet.com/security/?p=2941

Highlights:

Interesting. Definitely puts a bullseye on OS X and the so called security of Apple machines doesn't it?

For Firefox in Windows to be the hardest that's pretty impressive. No doubt things like ABP and NoScript would make it even harder.

Chrome's sandboxing is very nice. If it wasn't for parts of the Chrome EULA I won't agree to I would probably be using it.

 

[MisterSparkle]

Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

With Firefox on Mac OS X, you can do whatever you want. There’s nothing in the Mac operating system that will stop you..

Intriguing.

 

[Graedus]

Interesting read. I might actually give Chrome a try on a host OS now instead of in a virtual machine

 

[brucedeluxe169]

Interesting read. I might actually give Chrome a try on a host OS now instead of in a virtual machine

or just continue to do all your browsing in a snapshotted virtual machine thats what i do

 

[BassTek]

They used Vista last year, and it was hacked due to an Adobe Flash vulnerability. They probably just wanted to mix things up and that's why they used Windows 7 this year.

http://www.theregister.co.uk/2008/03/29/ubuntu_left_standing/

 

[heatlesssun]

I've not seen the security context that this was done. As others have mentioned, what were the UAC, DEP and what level of account was the user under?

 

[BassTek]

I've not seen the security context that this was done. As others have mentioned, what were the UAC, DEP and what level of account was the user under?

UAC and DEP are left at stock, as in whatever they were at shipped from the manufacturer and after patches are applied. I'm not sure on the user account level, I'm assuming they are using whatever account the OS sets you up with on first run.

If you want specific details you can comment on their site and see if they answer: http://dvlabs.tippingpoint.com/blog/2009/02/25/pwn2own-2009

 

[Vermillion]

UAC and DEP are left at stock, as in whatever they were at shipped from the manufacturer and after patches are applied. I'm not sure on the user account level, I'm assuming they are using whatever account the OS sets you up with on first run.

If you want specific details you can comment on their site and see if they answer: http://dvlabs.tippingpoint.com/blog/2009/02/25/pwn2own-2009

If UAC was left at stock on Build 7000 of Windows 7 then that whole hack means nothing if it makes use of the escalation bug that has been fixed in later builds.

 

[BassTek]

If UAC was left at stock on Build 7000 of Windows 7 then that whole hack means nothing if it makes use of the escalation bug that has been fixed in later builds.

It would be nice if they listed which build they used, that's true. I'm assuming they would have used a build that had the UAC exploit fixed but you never know, maybe post on their blog and see what they say.

 

[phide]

Macs don’t do. Hacking into Macs is so much easier.

This isn't terribly surprising. Apple's attitude toward heightening security has always been somewhat lax. Considering how solid the foundation of OS X is from a security perspective, it should be pretty trivial to implement features to heighten the overall security, right?

 

[bonsai]

This leads me to believe it is a vulnerability within IE8 and the not a specific build of Win7:

The big news of the day is that the MSRC (Microsoft Security Response Center) woke me up before my alarm went off this morning to let me know that they had reproduced and validated IE8 vulnerability discovered by the mysterious Nils. Of course, we can't tell you anything more than that- stay tuned for more information once Microsoft releases an update for it! I continue to be impressed by the dedication of the MSRC team- and was shocked to get the news of verification in less than 12 hours- considering the entire IE team was most likely at the MIX 2009 con down in Vegas for the official launch of IE8!

From: http://dvlabs.tippingpoint.com/blog/2009/03/20/pwn2own-day-2

 

[Raudulfr]

No Opera?

/care

 

[BassTek]

Regarding the Windows 7 and the UAC disabling without prompt issue, maybe someone can clarify this for me. Is there a way to do this without first running a script? I was reading http://www.neowin.net/news/main/09/02/05/microsoft-update-on-windows-7-uac-issues and to run the proof of concept you still needed to accept a prompt to run the javascript. So in regards to this contest I don't think it would affect it much, as the default security settings would require user intervention whereas the only action allowed in this contest is the initial clicking of the 'hackers' link. If the hacker has the ability to run a similar script without escalation/prompt chances are they didn't need to disable UAC in the first place.

 

[bonsai]

Regarding the Windows 7 and the UAC disabling without prompt issue, maybe someone can clarify this for me. Is there a way to do this without first running a script?

That was my initial thought. Given the rules of the competition, it wouldn't seem possible to use the UAC escalation bug with how the proof of concept was presented. It seems like this competition focuses more on browser exploitation than the OS itself.

 

[Vermillion]

Regarding the Windows 7 and the UAC disabling without prompt issue, maybe someone can clarify this for me. Is there a way to do this without first running a script? I was reading http://www.neowin.net/news/main/09/02/05/microsoft-update-on-windows-7-uac-issues and to run the proof of concept you still needed to accept a prompt to run the javascript. So in regards to this contest I don't think it would affect it much, as the default security settings would require user intervention whereas the only action allowed in this contest is the initial clicking of the 'hackers' link. If the hacker has the ability to run a similar script without escalation/prompt chances are they didn't need to disable UAC in the first place.

That was my initial thought. Given the rules of the competition, it wouldn't seem possible to use the UAC escalation bug with how the proof of concept was presented. It seems like this competition focuses more on browser exploitation than the OS itself.

I agree thus why I said earlier that "if the exploit uses the escalation bug" I think it should be a worthless exploit. If it's pure IE8 security holes more power to Nils for finding it.

This leads me to believe it is a vulnerability within IE8 and the not a specific build of Win7:


From: http://dvlabs.tippingpoint.com/blog/2009/03/20/pwn2own-day-2

With that information yes I would probably agree that it's a direct IE8 exploit not limited to the Beta/RC that came with Windows 7. If it was Beta/RC only then MS would have come out saying it isn't an issue in the final version. I smell a patch come patch Tuesday for this one.

Would like to know if this exploit is also there in IE7 though.

 

[bonsai]

Another good interview with Charlie Miller: http://www.tomshardware.com/reviews/pwn2own-mac-hack,2254.html. He gets into some nitty gritty about browser and OS security.

Even after hacking the Mac, he still recommends it over a PC. He says Mac is less secure, but it's still safer.

Alan: So, if you had to make a recommendation, Mac, PC, or Linux? Or do you find them to be equally (in)secure?

Charlie: I'll leave Linux out of the equation since I know my grandma couldn't run it. Between Mac and PC, I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there. For now, I'd still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them.

Also thought this was an interesting quote:

Alan: Well, let’s get to the part our readers will want to hear the most about. When people hear about Pwn2Own and systems failing within seconds, many imagine a Hollywood-esque free-for-all, with rows upon rows of teams trying to hack a single system (like the scene from Transformers). In truth, Pwn2Own is a lot more civilized and structured, isn't it? How does this compare to other security challenges?

Charlie: Yes, I took down the Mac in under a minute each time. However, this doesn't show the fact that I spent many days doing research and writing the exploit before the day of the competition. It only looks Hollywood because you don't see the hard work in the preparation. If you set me down in front of an application I've never seen before and told me I have 2 minutes to hack it, as is often the case in movies, I'd have no more luck than your grandma at accomplishing it. Well, maybe a little more of a chance, but not much!

As for comparing this to other competitions, most other competitions face teams of hackers against programs written for the contest with bugs purposely added. I like Pwn2Own because its against real software and the bugs found are real bugs and are given to the vendors to fix, so some good comes out of it too.

 

[Vermillion]

Security through obscurity FTW!