Sacred cows fall at Pwn2Own
One thing in this life is certain: if you set something up, someone will knock it down. That is just what has been happening at the Pwn2Own contest run by security company TippingPoint Zero Day Initiative (ZDI) in Vancouver. The impregnability of the iPhone has gone. Security researchers Vincenzo Iozzo from Zynamics GmbH and Ralf-Philipp Weinmann from the University of Luxembourg stole the SMS database from an iPhone that visited a malicious website.
The researchers have declared, under the rules of the competition, that they won’t release details until after Apple has had a chance to patch the vulnerability – but it just proves that nothing is safe, and even iPhone users need to watch where they’re going.
Apple’s Safari browser running on the latest Snow Leopard version of OS/X also fell to proven Mac hacker Charlie Miller, again to the process known as drive-by hacking. When a conference organiser pointed Safari at the poisoned web page, Miller’s exploit took control of the Macbook.
Peter Vreugdenhil took down IE8 running on Windows 7. He managed to by-pass Windows’ DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) protections that are specifically intended to prevent such attacks.
Firefox on Windows 7 fell to a German researcher known as Nils, using a new zero-day vulnerability. Firefox has only just released version 3.6 (with commendable speed); so we can expect 3.7 before some laggards even update to 3.6.
All in all, the only target that wasn’t attacked and defeated was Google’s Chrome; presumably because no-one yet has a working exploit. But give it time. What Pwn2Own does is demonstrate that nothing is ultimately secure. We just have to be very, very careful about what we do and where we go whatever we’re using,