PWN2OWN —

Pwn2Own takes down IE 10 running on a Surface Pro

Chrome and Firefox go down, and to no one's surprise, Java also falls.

Dan Goodin - Mar 7, 2013 5:29 pm UTC

Pwn2Own takes down IE 10 running on a Surface Pro — Aurich Lawson / McDonalds

Browser security took a drubbing during the first day of an annual hacker contest, with the latest versions of Microsoft's Internet Explorer, Google's Chrome, and Mozilla's Firefox all succumbing to exploits that allowed attackers to hijack the underlying computer.

The Pwn2Own contest, which is sponsored by HP's Tipping Point division, paid $100,000 for the successful exploitation of IE 10 running on a Surface Pro tablet powered by Windows 8. The attack was impressive because it was able to bypass a variety of anti-exploit technologies Microsoft has added to its flagship operating system and browser over the past decade. To succeed, researchers from France-based Vupen Security had to combine multiple attacks, a technique that is growing increasingly common.

"We've pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass," the firm announced by Twitter on Wednesday.

Day 1 also saw the full compromise of Chrome 25 on Windows 7, another impressive feat because it also required contestants to bypass security defenses Google developers have invested considerable resources in. The exploit also fetched its creators $100,000.

"We showed an exploit against previously undiscovered vulnerabilities in Google Chrome running on a modern Windows-based laptop," the winning, two-man team from MWR Labs wrote in a blog post. "By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges."

Firefox and a browser plugin for Oracle's Java software framework were also felled, fetching contestants $60,000 and $20,000 respectively for the exploits. Several other applications, including Adobe's Flash and Reader programs and Apple's Safari browser, remained untouched during the first day. The contest runs through Friday.

Now in its eighth year, Pwn2Own wields big cash payouts and whitehat prestige to simulate the financial incentives found in decidedly less-ethical hacking environments. The ultimate takeaway has always been that no software package is immune to crippling exploits that allow attackers to surreptitiously install malware when end-users visit innocuous-looking websites. But as the contest has evolved, it has strived to forge a reward system that mimics the underground economy where blackhats buy and sell attacks.

While not precise, prizes are intended to reflect the relative difficulty of devising a working exploit for a given program running on a particular operating system. Rewards this year are:

Web Browser
- Google Chrome on Windows 7 ($100,000)
- Microsoft Internet Explorer, either
  - IE 10 on Windows 8 ($100,000), or
  - IE 9 on Windows 7 ($75,000)
- Mozilla Firefox on Windows 7 ($60,000)
- Apple Safari on OS X Mountain Lion ($65,000)
Web Browser Plug-ins using Internet Explorer 9 on Windows 7
- Adobe Reader XI ($70,000)
- Adobe Flash ($70,000)
- Oracle Java ($20,000)

Threat Post has additional color on the first day of Pwn2Own here.

Promoted Comments

undervillainArs Centurion
jump to post

tmoldovan wrote:
abadidea wrote:
tmoldovan wrote:
Will they be testing iOS, or is that trivial, as evidenced by various jailbreaking methods?

Jailbreaks are anything but trivial. It takes the finest minds in exploitation months to put a reliable one together and the current one can only be done with physical access and knowing the device PIN if any. That's well outside pwn2own goals of remote exploitation. Comex had this sort of jailbreak once (loading a PDF in Safari) but not currently.

Thanks, I didn't mean to imply that the jailbreak itself is trivial to attain, just that once it is out it seems easy to apply. Though I must confess, I only gather that from recent headlines about untethered jailbreaks. I wasn't aware of the physical access and PIN requirements, that's good to know.

I'm not trying to troll, I'm only asking as more and more enterprises and hospitals are deploying iPads, it is important to know how the actual security works in practice.

On one hand, Apple talks about highest security compliance, and on the other hand there is a jailbreak available for the masses. (I remember the PDF jailbreak, and wonder if the new one can be exploited maliciously.) So when administration asks "are iPads secure to deploy", what would be a realistic answer?

There is always the possibility of bad security holes, but I don't think that the existence of the iDevice jailbreaks makes them particularly insecure. Installing the jailbreak definitely changes the device security, but to do so takes an amount of directed effort. Although "drive-by" jailbreaks have existed in the past (and who knows, a new vulnerability may be discovered which allows it in the future), the current jailbreaks require tethering to a computer and couldn't be done accidentally.

To shift without the clutch: A golf-clap to Aurich, the visualization is great! I especially like the broken window.

258 posts | registered Jun 1, 2011
Solidstate89Ars Scholae Palatinae
jump to post

Gibson99 wrote:
Solidstate89 wrote:
daggar wrote:
I would congratulate Safari for surviving the first day unscathed, but Adobe Flash and Reader survived as well. That makes me assume that their survival is due to scheduling decisions by the various teams rather than inherent security.

Except despite still being highly targeted platforms, the sandboxing in both Flash and Reader are quite robust. I believe it took almost 2 years for someone to finally pierce Reader's Sandbox.

Preconceived notions seem to take a long time to die.

that's true, but there's a distinct difference between a preconceived notion and an established track record of insecurity. adobe and oracle both seem to have the latter.

But unlike Oracle, Adobe has taken dramatic steps to try and curtail the exploits. They even got assistance from Microsoft in developing the sandbox for Flash and Reader. Reader XI even added OTB support for ASLR mitigations.

Oracle hasn't done any such thing.

1064 posts | registered May 23, 2011

Promoted Comments

undervillainArs Centurion
jump to post

tmoldovan wrote:
abadidea wrote:
tmoldovan wrote:
Will they be testing iOS, or is that trivial, as evidenced by various jailbreaking methods?

Jailbreaks are anything but trivial. It takes the finest minds in exploitation months to put a reliable one together and the current one can only be done with physical access and knowing the device PIN if any. That's well outside pwn2own goals of remote exploitation. Comex had this sort of jailbreak once (loading a PDF in Safari) but not currently.

Thanks, I didn't mean to imply that the jailbreak itself is trivial to attain, just that once it is out it seems easy to apply. Though I must confess, I only gather that from recent headlines about untethered jailbreaks. I wasn't aware of the physical access and PIN requirements, that's good to know.

I'm not trying to troll, I'm only asking as more and more enterprises and hospitals are deploying iPads, it is important to know how the actual security works in practice.

On one hand, Apple talks about highest security compliance, and on the other hand there is a jailbreak available for the masses. (I remember the PDF jailbreak, and wonder if the new one can be exploited maliciously.) So when administration asks "are iPads secure to deploy", what would be a realistic answer?

There is always the possibility of bad security holes, but I don't think that the existence of the iDevice jailbreaks makes them particularly insecure. Installing the jailbreak definitely changes the device security, but to do so takes an amount of directed effort. Although "drive-by" jailbreaks have existed in the past (and who knows, a new vulnerability may be discovered which allows it in the future), the current jailbreaks require tethering to a computer and couldn't be done accidentally.

To shift without the clutch: A golf-clap to Aurich, the visualization is great! I especially like the broken window.

258 posts | registered Jun 1, 2011
Solidstate89Ars Scholae Palatinae
jump to post

Gibson99 wrote:
Solidstate89 wrote:
daggar wrote:
I would congratulate Safari for surviving the first day unscathed, but Adobe Flash and Reader survived as well. That makes me assume that their survival is due to scheduling decisions by the various teams rather than inherent security.

Except despite still being highly targeted platforms, the sandboxing in both Flash and Reader are quite robust. I believe it took almost 2 years for someone to finally pierce Reader's Sandbox.

Preconceived notions seem to take a long time to die.

that's true, but there's a distinct difference between a preconceived notion and an established track record of insecurity. adobe and oracle both seem to have the latter.

But unlike Oracle, Adobe has taken dramatic steps to try and curtail the exploits. They even got assistance from Microsoft in developing the sandbox for Flash and Reader. Reader XI even added OTB support for ASLR mitigations.

Oracle hasn't done any such thing.

1064 posts | registered May 23, 2011

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica