iPhone, Safari, IE8, Firefox all fall on day one of Pwn2Own

iPhone, Safari, IE8, Firefox all fall on day one of Pwn2Own

Hackers took down Apple’s iPhone and Safari browser, Microsoft’s Internet Explore 8 (IE8) and Mozilla’s Firefox within minutes at today’s Pwn2Own contest, as expected.

Was this just for hacking browsers? I didn’t see any mention of Linux, so I suspect it isn’t the famous one with Windows vs Apple vs Linux (where if my memory serves me right, Linux never fell).

This contest should be banned for one reason;

TippingPoint does not release details of the vulnerabilities exploited for Pwn2Own, but instead purchases the rights to the flaws and exploit code as part of the contest. It then turns over information to the appropriate vendors, who all had representatives on hand.

Who is to stop them from re-selling this information to people other than vendors? Oh wait, they’re giving their “golden word” that they won’t take the juicier offer - well that’s all nice.

They gotta make money somehow as each success cost them $10,000 plus at least one person left with the hardware, though I don’t know if any of the other machines were likewise taken away.

The Firefox on W7 hack worked because the hacker managed to get round ALSR+DEP.

According to the Tipping Point website the contest doesn’t involve Linux this year. However, I think the whole debate about the security merits of different operating systems–at least their technical merits–somewhat misses the point. Malware mostly spreads through bugs in applications (web browsers, Adobe Flash, Adobe Reader, JavaScript, etc.) and exploiting the users’ poor security behavior (e.g. running as root/admin when this isn’t necessary; not patching, etc.) and users’ ignorance and susceptibility to social engineering. hackers go for the weakest links and although the ultimate target may be control of the OS, the OS itself isn’t the weakest link.

Today the attack targets are:

Microsoft Internet Explorer 7 on Windows Vista
Mozilla Firefox 3 on Windows Vista
Google Chrome 4 on Windows Vista
Apple Safari 4 on MacOS X Snow Leopard

Tomorrow:

Microsoft Internet Explorer 7 on Windows XP
Mozilla Firefox 3 on Windows XP
Google Chrome 4 on Windows XP
Apple Safari 4 on MacOS X Snow Leopard

Given what happened on day 1 I don’t think days 2 and 3 will be much of a challenge, although no one has broken Chrome yet.

Well in the case of IE, it was the OS’s protection methods that they circumnavigated for the win. So the OS does play a part of the picture, but yes the OS-direct attacks are not really being tried anymore they are all application-based.

Yeah, I agree, as I said “somewhat misses the point”. They are coming into the OS through the application and a lot of work is being done to tighten-up what happens in the OS to prevent the OS being compromised by buggy apps e.g. ALSR + DEP. ASLR and other features seem to be in the process of being refined in all the major OSes to prevent the exploitation of vulnerabilities in apps e.g.SuSE: New kernel packages fix local privilege escalation. Also interesting discussion of Apple getting more serious about ASLR here: Charlie Miller on Pwn2Own.

From what I’ve read it wasn’t Windows so much as Mozilla being the problem with the ASLR bypass in the Firefox hack. The hacker is quoted saying: “Mozilla can do a better job of opting into ASLR on Windows” but maybe they shouldn’t have the option to not opt in properly. That doesn’t seem to be the case in the IE8 hack on W7. There’s a detailed account of that hack by the hacker here. Not the sort of thing a script kiddie is going to pull off.

I guess to add to my last post my feeling is that the whole “my OS is more secure than your OS” sling-fest just misses the point. At the moment regardless of which operating system you use, it is probably one of the lesser things you should be worrying about when it comes to security. Windows has a bigger problem because it is a bigger target but aside from that and the fact that most Windows users seem determined to run as admin all the time, I’m not sure the technical differences add up to much, certainly nothing compared to security issues associated with user behavior, web browsers, and applications like Adobe Reader.