As normal, Apple’s joke security fell on the first day of the Pwn2Own hacking contest at CanSecWest hacker conference.
Safari on MacOS X and Internet Explorer 8 on Windows 7 fell in the first day despite Jobs’ Mob hoping to scrape through by bring in a last-minute security update that the contestants would not have seen.
However it turned out that French penetration test company VUPEN were able to exploit a zero-day flaw in Apple’s Safari browser to win in five seconds.
It had taken them two weeks to find the vulnerability in WebKit, which is Safari’s rendering engine.
The exploit bypassed ASLR (Address Space Layout Randomization) and past through the DEP (Data Execution Prevention) without being noticed.
Since those are the two key anti-exploit mitigations built into Mac OS X the team was home and hosed. They then launched the calculator application and write to a file on the computer to prove the exploit had successfully gained full user access.
Irish security researcher Stephen Fewer, took down a 64-bit Windows 7 machine running Internet Explorer 8 using three different vulnerabilities and custom exploits.
He used two different zero-day bugs in IE that he’d found previously, and then exploited a third vulnerability that allowed him to jump out of the IE Protected Mode sandbox.
Fewer’s attack then successfully bypassed DEP and ASLR in Windows 7. Needless to say it took him a bit longer.
Firefox is expected to be attempted today before the mobile platforms portion of the contest begins. It might be a bit harder as, like Apple, Mozilla patched the browsers the week before the contest. Microsoft had not.