Article by George Norman

On 20 Mar 2009

It is not just the recently released Internet Explorer 8 (IE8) that has been cracked, Mozilla’s Firefox and Apple’s Safari have succumbed as well, but the thing that drew my attention to IE8 is the fact that Steve Ballmer put a great deal of emphasis on how secure this latest version of the Microsoft develop browser really is.

“Customers have made clear what they want in a Web browser — safety, speed and greater ease of use. With Internet Explorer 8, we are delivering a browser that gets people to the information they need, fast, and provides protection that no other browser can match,” said Microsoft CEO, Steve Ballmer a while back.


The good news is that all this hacking business occurred at the PWN2OWN competition and it was done right in front of Microsoft representatives. A computer science student from Germany (we only know his first name: Nils) was presented with a Sony laptop running on a “recent Microsoft internal build” of Windows 7 which had Internet Explorer 8, Firefox and Chrome installed on it. He managed to successfully hack it by defeating IE8’s built in DEP (Data Execution Prevention) as well as ASLR (Address Space Layout Randomization) security features.

Terri Forslof, manager of security response at 3Com's TippingPoint, sponsor of the PWN2OWN contest comments: “This is the awesome part of PWN2OWN. Microsoft got to stand there and watch it happen. They were right at ground zero. It was important for Microsoft to see that bug right away. They took it back to Microsoft and filed a bug. That's a real success story. Microsoft had the opportunity to talk directly with Nils about the bug, and within five hours they had it reproduced in their labs.”

For his accomplishment, Neils received a $5,000 reward, but by the end of the day he had managed to triple his earnings by hacking into Firefox and Safari (for each successfully hacked browser he received an additional $5,000). On top of that, he also received a Sony Vaio P series laptop. Not bad for a day’s work you might say, but keep in mind that by accepting these cash rewards he has actually sold the vulnerabilities and rights to exploit them to TippingPoint.

Terri Forslof again: “It was insane compared to last year. Nils hit the IE8 vulnerability and everybody thought that was it. Then he comes back and says 'Do you mind if I try my Safari vulnerability? Oh, and by the way, I also have a Firefox bug'. After just two hours, we had four browser vulnerabilities and we'd paid out $20,000.”

The additional $5,000 were paid to Charlie Miller, the defending champion of 2008’s PWN2OWN (when only 2 vulnerabilities were uncovered). Charlie Miller was presented with a Macbook which had Safari and Firefox installed on it – in no time at all he successfully exploited a Safari vulnerability thus winning the $5,000 prize and the Macbook.

“Charlie Miller got the luck of the draw, and had the first time slot for the browser competition. His target- Safari on Mac OS X. Before I could even pull my camera out, it was over within 2 minutes- and Charlie (coincidentally also last year's first winner of the day) is now the proud owner of yet another MacBook, and $5,000 from the Zero Day Initiative,” said Forslof.

The only browser that was left intact at the PWN2OWN competition was Google’s Chrome, version 2.0 of which recently hit Beta (Chrome 2.0 Beta) and which is attempting to become more popular thanks to Chrome Experiments.



Tags: Internet Exporer 8, Safari, Firefox, Chrome, PWN2OWN

I Hope you LIKE this blog post! Thank you!

What do YOU have to say about this

Popular News

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

21.

22.

23.

24.

25.

26.

27.

28.

29.

30.