For enterprise information security professionals, the Pwn2Own 2014 hacking contest produced a clear lesson that goes beyond any one vulnerability: Even the most hardened software is vulnerable, so prepare accordingly.
If you have a significantly motivated attacker, they are probably going to figure out some way to compromise that software.
vulnerability analyst, Carnegie Mellon SEI CERT
Backed by the Hewlett-Packard Co.'s Zero Day Initiative and held as part of the CanSecWest security conference last week in Vancouver, British Columbia, Pwn2Own rewards bug hunters and researchers with cash prizes in exchange for producing successful, unique exploits for some of the most used software in the world.
This year's event didn't disappoint, as contestants demonstrated a plethora of exploits that fell all of the major Web browsers, along with Adobe Systems Inc.'s Reader and Flash software. All told, HP paid out $850,000 to researchers for the 35 successful exploits demonstrated at Pwn2Own, with all of those being disclosed to the appropriate vendors.
As is typically the case, the majority of exploits at the 2014 Pwn2Own event focused on Web browsers. Contestants from VUPEN Security, the controversial French firm known for selling zero-day exploits to government agencies around the world, were the biggest winners at Pwn2Own, successfully demonstrating five exploits in total and three against browsers.
George Hotz, the well-known PlayStation 3 and iPhone hacker, demonstrated a remote code execution exploit against Mozilla Corp.'s Firefox browser. Researchers Sebastien Apelt and Andreas Schmidt strung together two use-after-free bugs and a kernel vulnerability in Microsoft's Internet Explorer 11 to access the system's calculation application, creating an opportunity for arbitrary code execution.
Including the new Pwn4Fun charity portion of the competition, researchers were able to successfully demonstrate 11 exploits against the four major Web browsers, with Firefox alone falling four times. HP's researchers also reported several Internet Explorer zero-day vulnerabilities directly to Microsoft that weren't publicized at the show, according to Brian Gorenc, manager of vulnerability research for HP's Security Research group.
Despite the seemingly overwhelming success researchers had in poking holes in fully updated software, Gorenc said the Web browsers and other applications that were compromised are actually much more secure today than they were when the first Pwn2Own was held in 2007. Many of this year's successful exploits required more than one vulnerability, Gorenc noted, including the Apple Safari exploit delivered by Google Inc. researchers that took advantage of three separate vulnerabilities.
"As the mitigations get added in to technologies, it is becoming more difficult," Gorenc said. "It takes a significant amount of time to develop that chain of exploits."
Is sandboxing broken?
According to Gorenc, one of the foremost security technologies making life significantly more difficult for attackers is application sandboxing, which basically isolates code execution within a virtual container. If implemented properly, a sandbox prevents the spread of malicious code from a single application out to a system.
Internet Explorer, Google Chrome, Flash and Reader all use sandboxing technology to some degree (Firefox, notably, does not), yet researchers at Pwn2Own were able to bypass the sandboxes in all of those applications.
Sandbox bypasses are hardly new, according to Will Dormann, vulnerability analyst with the Carnegie Mellon University Software Engineering Institute's CERT Division. Though he couldn't comment on the specific techniques demonstrated at Pwn2Own that have yet to be revealed publicly, he said attackers often look to either break out of a sandbox that has been poorly implemented or find another vulnerability in the underlying operating system that can be exploited to escape the sandbox.
Sandboxing isn't a security cure-all, Dormann said, but a sandbox does significantly increase the difficulty of crafting a successful exploit. Gorenc said that most of the Firefox exploits on display only needed one vulnerability to work, for example, in large part because the browser does not feature sandboxing technology.
"It's really not a good idea to put all your eggs in one basket and say, 'I've got a sandbox and I don't need to worry about anything else'," Dormann said. "The general idea here, both with sandboxing and other mitigations, is that it's requiring a lot more work from the attackers. It's not that sandboxing isn't good or sandboxing isn't helping at all; it's really raising the bar in terms of what an attacker needs to do exploit the software."
Dormann advised enterprise security teams to apply a number of security controls to reduce the attack surface presented by Web browsers and other applications. For Firefox specifically, he recommended installing the NoScript add-on, which gives users control over which plug-ins and functions will work on individual websites. Attackers oftentimes lure users to websites featuring malicious Flash content, for example, but with NoScript installed, Firefox users will be unaffected as long as they don't give permission to run Flash on that site.
More broadly speaking, though, Dormann said enterprise IT security professionals should consider running the free Enhanced Mitigation Experience Toolkit (EMET) software from Microsoft, which he said can help reduce the attack surface of applications and mitigate some of the techniques used to exploit the zero-day vulnerabilities at Pwn2Own. In fact, EMET mitigated all of the IE zero days in 2013 before Microsoft released patches for them.
The effectiveness of EMET in stopping certain classes of vulnerabilities has actually grown to the point that a recent IE zero-day exploit, originally discovered by security vendor FireEye Inc., checked a victim's system for the presence of EMET. If EMET was installed, the exploit wouldn't run, which researchers speculate is because EMET would kill the malicious process or the attackers were worried the Microsoft tool would trigger an alert that would be investigated.
Dormann said many enterprise IT teams are too focused on making sure software is fully patched against the latest known vulnerabilities. Though incredibly important, he said Pwn2Own shows year after year that patching is only one part of the larger battle against successful application exploits.
"Nobody is using software that is flawless. If you have a significantly motivated attacker, they are probably going to figure out some way to compromise that software," Dormann. said "If I can protect against future vulnerabilities [with EMET], that actually gets you a little more bang for the buck. Your goal, in order to stay safe, is to make it as difficult as possible for an attacker to achieve their goal."