Every year as part of the CanSecWest security conference in Vancouver, Canada, a group of hackers pit their wits against the latest and greatest in browser security at an event called Pwn2Own. The name is a little ’95, but the concept is simple – hack a browser, and you win whatever hardware it was running on.
The traditional victims of Pwn2Own have been Microsoft Corp.’s cumbersome Internet Explorer and Apple Inc.’s Safari browsers, and this year was no different. The first browser to fall was Safari, in an exploit that took just five seconds to achieve. A victim running a fully up-to-date, patched version of OS X and Safari visited a specially designed, malware-laden website, and the hackers were able to launch the calculator – proving that they could execute code on the compromised machine – and placed a file on the Mac’s hard drive, proving they had escaped the browsers “sandbox,” a security feature that is supposed to limit the capabilities of code running from within the browser.
A French team by the name of VUPEN created this hack. and walked away with $15,000 prize money and the hardware they successfully hacked – a 13″ MacBook Air. This proves a little embarrassing for Apple, which released a large patch the previous day that it said filled some 40 security holes – obviously not quite enough!
Internet Explorer fell next, to researcher Stephen Fewer. Microsoft obviously decided to cut its losses and mostly ignore this year’s event, not even bothering to patch the browser prior to the conference.
Chrome still stands as the king of browser security, having been unhackable in previous years, this year the hacker due to test Chrome’s vulnerabilities didn’t even show up – perhaps because a major security update by Google Inc. earlier in the week had scuppered his exploit. Google was even offering an additional cash prize for anyone who could exploit its browser, but it looks as though it will be holding onto it for now.
Today’s Pwn2Own targets are the last major desktop browser, Firefox, as well as Android, iOS and Windows Phone 7.
Via Ars Technica
