For the fourth consecutive time in as many years, three of the most common web browsers have been successfully exploited on day one of Pwn2Own. The annual contest is sponsored by security firm TippingPoint, which challenges hackers and security researchers to attack devices running fully up-to-date versions of the latest browsers and operating systems, and then shares the details with the respective software vendors so they can work on patches.
Not surprisingly there were a few familiar faces showing their exploits at the competition. Just like in 2009 and the year before, Charlie Miller was awarded a cash prize after hacking Safari on a MacBook Pro without having physical access to the machine. Next was Peter Vreugdenhil, who managed to bypass Windows security features including Data Execution Prevention code via Internet Explorer 8 to take over a PC -- receiving $10,000 plus the hardware.
Another former winner known only by his first name, Nils, received $10,000 for exposing a memory corruption flaw in the latest version of Mozilla's Firefox browser. Of all the browsers set up as targets for the contest, only Google's Chrome remained standing on the first day, while Apple's Safari was even saw a second hack centering on the iPhone.
Within minutes of the competition starting, two European researchers, Vincenze Iozzo and Ralf Weinmann, managed to download the SMS database of a fully patched iPhone 3GS simply by visiting a specially crafted website. According to the researchers, while the exploit focused just on the SMS data, the same attack could be designed to access contacts, photos, and other data on the iPhone without the user having any idea an attack was underway.