IE8 and Safari hacked at Pwn2Own, nobody tries Chrome

By on March 10, 2011, 3:20 PM
Hackers successfully compromised Safari and Internet Explorer during the first day of Pwn2Own. The event began yesterday at 3:30PM PT and a group from French security firm Vupen exploited Safari 5 running on a MacBook Air in only five seconds, according to Computerworld. That's despite Apple releasing a last minute patch (v5.0.4) to prevent contestants from using known bugs. In addition to keeping the MacBook Air, the team earned a smooth $15,000 for its accomplishment.

Microsoft decided against updating Internet Explorer 8 ahead of Pwn2Own, presumably because it would have come outside of the company's traditional patch cycle. IE8 also fell to its first attacker, Stephen Fewer of Harmon Security. Fewer reportedly used three separate vulnerabilities to escape Protected Mode and bypass ASLR and DEP on Windows 7, something event organizer Aaron Portnoy hasn't seen before at Pwn2Own. Fewer also won $15,000 and the compromised system.


Despite Google's hefty $20,000 prize, no one has even attempted to hack Chrome. Only two parties registered for Chrome but the first contestant was a no-show and the second team wanted to focus on their BlackBerry vulnerability. The $20,000 offering only applied to the first day, but someone could still win $10,000 if they successfully exploit the browser before the event ends on March 11. Hackers will try their hand at Firefox and various mobile platforms today and tomorrow.




User Comments: 22

Got something to say? Post a comment
Win7Dev said:

I would think firefox would be compromised rather quickly because it is open source. People can just examine code and then find a snippet that could be used to exploit it. I know that it really isn't that easy to do, but I'm sure the developers of it could come up with at least one loop hole somewhere.

Guest said:

That's also the power of open source the group at the head of the distrbution or a concerned users, see's it, submits the bug and it gets fixed very fast.

princeton princeton said:

Win7Dev said:

I would think firefox would be compromised rather quickly because it is open source. People can just examine code and then find a snippet that could be used to exploit it. I know that it really isn't that easy to do, but I'm sure the developers of it could come up with at least one loop hole somewhere.

Since firefox is a browser that many hackers use the hackers report bugs they find instead of exploiting them.

Guest said:

woohoo chrome for the win

Staff
Rick Rick, TechSpot Staff, said:

No one tried last year either....

mario mario, Ex-TS Developer, said:

@Win7Dev Well almost every browser is open source or a good part of it, Chrome and Safari use the open-source Webkit rendering engine, Chrome's chrome (UI) and its java script  interpreter is also open, Firefox is open from head to toes, the only private ones are Opera and IE.

Chrome is the toughest to crack because it runs every tab in its own sandbox making it very difficult for exploits to run arbitrary code. Webkit2, the next version of webkit, will have this functionality built-in, it's supposed to be implemented in Safari with OS X Lion.

NeoFryBoy said:

I wouldn't call that winning. That's like sitting in a dunk tank and no one wants to throw the ball. Disappointing for everyone.

Jurassic4096 said:

neofryboy said:

I wouldn't call that winning. That's like sitting in a dunk tank and no one wants to throw the ball. Disappointing for everyone.

very poor analogy... but if you find a standard dunk tank that pays $20,000 for hitting it, i'm in.

aj_the_kidd said:

jurassic4096 said:

neofryboy said:

I wouldn't call that winning. That's like sitting in a dunk tank and no one wants to throw the ball. Disappointing for everyone.

very poor analogy... but if you find a standard dunk tank that pays $20,000 for hitting it, i'm in.

Umm, Google challenged people to hack them and no one "throw the ball", its a good analogy if you ask me. Poor chrome least you didn't get "wet"

Guest said:

I'll be very curious to see if anyone can hack Opera. It may have a lower share of the browser market, but it is hands down the best browser I have ever used. There is something fishy about no-one even attempting to hack Chrome. Plus, I would never use a browser or any other software or hardware that is sponsored by a company who's primary business is collecting data.

princeton princeton said:

aj_the_kidd said:

jurassic4096 said:

neofryboy said:

I wouldn't call that winning. That's like sitting in a dunk tank and no one wants to throw the ball. Disappointing for everyone.

very poor analogy... but if you find a standard dunk tank that pays $20,000 for hitting it, i'm in.

Umm, Google challenged people to hack them and no one "throw the ball", its a good analogy if you ask me. Poor chrome least you didn't get "wet"

I'd call it a bad analogy because if I was in a dunk tank I wouldn't be disappointed if nobody dunked me :P

matrix86 matrix86 said:

I'm with aj on this one. Chrome would win if someone tried and didn't succeed. You can't call something uncrackable when nobody tries to crack it. Intimidation is no excuse. Somebody who knows what they're doing needs to grow a pair and have it. They all seem to be taking the easy way out. They know Firefox, IE, and Safari can be cracked, so they go with it. But Chrome is tight is would take a lot more work. What would you rather go for? A browser that you have a good chance at cracking and winning the prize money? Or a browser that's hard to crack, causing you to not get any prize money?

Although considering it's been untouched for the past 2 years, there should be no excuse for this. Someone at least try it!

aj_the_kidd said:

matrix86 said:

I'm with aj on this one. Chrome would win if someone tried and didn't succeed. You can't call something uncrackable when nobody tries to crack it. Intimidation is no excuse. Somebody who knows what they're doing needs to grow a pair and have it. They all seem to be taking the easy way out. They know Firefox, IE, and Safari can be cracked, so they go with it. But Chrome is tight is would take a lot more work. What would you rather go for? A browser that you have a good chance at cracking and winning the prize money? Or a browser that's hard to crack, causing you to not get any prize money?

Although considering it's been untouched for the past 2 years, there should be no excuse for this. Someone at least try it!

Yeah I thought hackers were all about notoriety. I'd want to be part of team which hacked Chrome and told Google to "Sit down, be quiet, cause I just hacked your browser *****, now give me that money"

bonniesmith bonniesmith said:

Chrome might not be that easy to hack, Google guys were giving out $150,000 per exploit found...

aj_the_kidd said:

I think you mean that Google have given out $100,000 in rewards but if not please provide a source. Seems a little unlikely that they would be rewarding people $150,000 for each exploit found

Staff
Rick Rick, TechSpot Staff, said:

aj_the_kidd said:

I think you mean that Google have given out $100,000 in rewards but if not please provide a source. Seems a little unlikely that they would be rewarding people $150,000 for each exploit found

They were offering $1337 USD per exploit found... a funny figure.

ansh1993 said:

Yes , chrome is the best . But , that's very surprising that Safari was hacked in less than 5 seconds .

yukka, TechSpot Paladin, said:

Rick said: They were offering $1337 USD per exploit found... a funny figure.

http://en.wikipedia.org/wiki/Leet

matrix86 matrix86 said:

yukka said:

Rick said: They were offering $1337 USD per exploit found... a funny figure.

http://en.wikipedia.org/wiki/Leet

Is it sad that as soon as I saw him post that figure, I knew exactly what it meant? lol

Lokalaskurar Lokalaskurar said:

Is Chrome really that secure? Wow. Non-cracked system for two years straight now.

T77 T77 said:

No opera??!

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.