VANCOUVER, BC -- Hackers successfully exploited a handful of zero-day vulnerabilities, Wednesday, quickly cracking a flaw in the popular Apple iPhone. Zero-day vulnerabilities in Apple Safari 4, Mozilla Firefox and Internet Explorer 8 were also exploited by the security researchers during TippingPoint's Pwn2Own contest at the 2010 CanSecWest Applied Security Conference.
Nils, Security Researcher MWR InfoSecurity
Two researchers, Vincenzo Iozzo and Raif Weinmann were the first to successfully hack a mobile device, exploiting a flaw in the iPhone Safari browser to run SMS messages to a remote Web server. The researchers, however, were not present for the contest since their flight to the event was delayed, but well-known security researcher, Halvar Flake represented them in the contest. The two researchers won $15,000 for discovering the zero-day vulnerability.
Researcher Charlie Miller, principal security analyst at Baltimore-based Independent Security Evaluators, quickly exploited a vulnerability in the desktop version of Safari running on Mac OS X. He won $10,000 for the exploit, which targeted one of 20 vulnerabilities that the researcher plans to talk about during a presentation later in the conference. Miller's exploit opened up a remote shell, which he accessed in order to run any malicious code he wanted.
The researcher said he isn't happy with Apple's secure software development processes and doesn't plan to disclose all 20 of his vulnerabilities to the software maker, though by contest rules, the vulnerability used in the contest will be disclosed to the vendor. Miller said discovering the 20 vulnerabilities took only three weeks using three computers.
"I'm not doing anything, my computers are running and doing all the work," Miller said. "The amount of work I do is a minute a day. I shouldn't be able to find bugs doing that. [Apple] should be better than me at this but they're not … I wish they were better."
Researchers hack IE 8, Mozilla Firefox bypassing ASLR, DEP
Two other researchers joined Charlie Miller in bypassing both address space layout randomization (ASLR), a security feature that, if properly used, mitigates some attacks that attempt to exploit code in memory and data execution prevention (DEP), which prevents attackers from executing their malicious code in none-executable memory.
A researcher quickly demonstrated a flaw in IE 8 running on Windows 7, bypassing the mitigation technologies. Peter Vreugdenhil, an independent security researcher based in the Netherlands, targeted an unspecified vulnerability, using a technique that bypassed ASLSR. The flaw is exploited if a user browses to a malicious website. He won $10,000 and a laptop for discovering the zero-day vulnerability.
"It's an HTML based file that redirected his laptop to my webpage," Vreugdenhil said.
Mozilla Firefox was also successfully exploited by bypassing ASLR and DEP. A researcher at UK-based MWR InfoSecurity, who goes by the name of Nils, targeted a memory vulnerability, obtaining a $10,000 cash prize and a laptop. Nils said the exploit he created took only a few days to create. It started a process which ran a calculator on the laptop running Windows 7, but warned that it could have started anything instead.
"We all used weaknesses, which allowed us to leak data as Peter's did, or other weaknesses as in my case or Charlie Miller's case, which were weaknesses in the implementation of the protection mechanisms themselves," Nils said. "The vulnerability itself wasn't that complicated, but getting around exploitation mitigations in Windows 7 is the hard part and takes the most time in actually writing the exploit."
Left unscathed was Google Chrome 4 running on Windows 7 as well as several mobile devices. No hacker attempted to crack Google's Nexus One, a RIM Blackberry Bold 9700 or a Nokia E72 device running Nokia's Symbian OS.