Major Google Chrome vulnerability uncovered by hacker at Pwnium contest

By on March 8, 2012 at 5:20 PM.

Major Google Chrome vulnerability uncovered by hacker at Pwnium contest

Russian university student Sergey Glazunov was able to hack into a secure Windows 7 machine using a remote code execution exploit in Google’s Chrome web browser in five minutes, ZDNet reported Wednesday. The exploit was found during CanSecWest’s Pwnium hacker contest, a competition similar to the popular Pwn2Own contest. Google offered a total of $1 million dollar in prize money to hackers who could exploit the company’s Chrome web browser. Glazunov was rewarded $60,000 for his exploit, which found a way around Chrome’s sandbox using vulnerabilities in the extension system. “It didn’t break out of the sandbox [but] it avoided the sandbox,” said Justin Schuh, a member of the Chrome security team. “It was an impressive exploit. It required a deep understanding of how Chrome works. This is not a trivial thing to do.” At Pwn2Own, the VUPEN team was able to hack all four major browsers — Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox — with Chrome, which was hacked within five minutes, being the first to fall. This is the first time in four years at the competition that Google’s web browser has been hacked. The company is already working on an update that will fix the vulnerabilities uncovered at Pwnium and Pwn2Own. More →

No Comments

BlackBerry vulnerability exposed at Pwn2Own; no fix in sight

By on March 17, 2011 at 12:42 PM.

BlackBerry vulnerability exposed at Pwn2Own; no fix in sight

In light of a WebKit vulnerability discovered at this year’s Pwn2Own conference in Vancouver, Research In Motion has issued a bulletin for its most security conscious customers. Affecting handsets running BlackBerry Device Software version 6.0 or higher, the exploit could allow an attacker to gain access to data stored on the media card or in the media storage area built into BlackBerry devices. RIM notes that the vulnerability does not grant attackers access to email, calendar, contact, or application store data. Regardless, if you’re reading this with your tinfoil hat on, the company has issued a list of workarounds that can mitigate your risk to the hack. Standalone users can disable JavaScript in their Internet browser — JavaScript is not the root of the problem, but the use of JavaScript is required to execute the vulnerability. BlackBerry Enterprise Server administrators can disable the BlackBerry browser altogether from the BES console — which, as you can imagine, has other implications. RIM has yet to comment on when a more permanent fix might become available, but it has issued a statement saying it is, “investigating the issue to determine the best resolution for protecting BlackBerry smartphone users.” More →

27 Comments

iOS, BlackBerry OS fall at Pwn2Own

By on March 11, 2011 at 11:33 PM.

iOS, BlackBerry OS fall at Pwn2Own

Add Apple’s iOS and Research In Motion’s BlackBerry OS to the list of victims at this year’s Pwn2Own challenge. Conference veteran Charlie Miller, along with Dion Blazakis, deployed an exploit to iOS 4.2.1 through a vulnerability in Safari. By navigating to a custom-made webpage, the duo were able to execute remote code and gain access to the iOS address book. Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann also utilized a WebKit-based vulnerability to take down a BlackBerry Torch running BlackBerry OS 6.0.0.246. The three researchers noted that the exploit used on the BlackBerry’s mobile OS was difficult to craft due to the lack of documentation, software tools, and resources available. They also noted that most of the operating systems security was achieved via obscurity, and stated that the company was “way behind the iPhone at the moment, from a security perspective.” No conference participants have yet to challenge Google’s Android or Microsoft’s Windows Phone 7 operating systems. More →

46 Comments

Apple’s Safari browser embarrassed at Pwn2Own, hacked in 5 seconds

By on March 10, 2011 at 8:34 AM.

Apple’s Safari browser embarrassed at Pwn2Own, hacked in 5 seconds

Safari just got served. At this year’s Pwn2Own conference, security firms and enthusiasts are doing their very best to discover and deploy exploits to some of the world’s most popular browsers. Chrome, Firefox, Internet Explorer, and Safari, they’re all on the menu for conference attendees and some have definitely faired better than others. Google issued a challenge, promising $20,000 to any person or team that could crack Chrome on the conferences opening day, but the two teams scheduled to take a swing backed down. Firefox is, for the time being, still standing, and, per usual, Microsoft’s Internet Explorer was taken down without much fuss. But which browser faired the worst? That would be Apple’s Safari. A French security research firm named Vulpen managed to break into Safari running on a MacBook Air in a cool five seconds. The company noted that the Safari update issued by Apple yesterday — version 5.0.4 — fixes some of the vulnerabilities, but not all. The takedown of Safari 5.0.3 used exploits that are still available in the updated code base. Go ahead Apple detractors, have a little fun in the comments section. More →

116 Comments

iPhone hacked and hijacked at Pwn2Own

By on March 25, 2010 at 6:28 AM.

iPhone hacked and hijacked at Pwn2Own

haxor

Smartphones might have proved to be a tough nut to crack at last year’s CanSecWest Pwn2Own, but the same cannot be said for 2010 as two European hackers were able to gain control of a stock iPhone’s SMS database. The hack, which takes 20 seconds to execute by having the iPhone visit an infected website, allows its SMS messages — including those which had been deleted — to be uploaded to a predetermined server. If that’s not enough to make paranoid iPhone users soil their pants, the same exploit is also said to be able to access to a user’s address book, emails, photos and music all without leaving the iPhone sandbox. Naturally these sort of hacking developments are a bit frightening, but the good news is the hackers will hand their findings to Apple and keep mum on specifics while the Cupertino company does a bit of spackling with its iPhone OS. More →

41 Comments

Smartphones escape Pwn2Own unhacked

By on March 25, 2009 at 4:37 PM.

Smartphones escape Pwn2Own unhacked

Hackers taking part in a friendly competition aimed at highlighting OS and software vulnerabilities did some real damage to a variety of computer-based web browsers — including Safari, which took all of 10 seconds to bust on a MacBook — but where smartphones are concerned, the hackers were stumped. The competition took place at CanSecWest in Vancouver, Canada and big cash prizes were up for grabs. In fact, each successful execution of an attack on a smartphone was worth a cool $10,000. Apparently the closest someone came however, was a BlackBerry Bold exploit attempt that failed despite reportedly having worked on a Storm in the past. There was also an exploit performed on Safari for Mac that is thought to work on the iPhone as well but the iPhone hack was not attempted; the rules of the contest stated that each exploit could be used only once. In the end, not a single contestant was able to crack a smartphone during the two-day hackathon. Good news though, hackers, as CanSecWest and ZDI have already stated that smartphones will be included once again in next year’s competition. That gives you about 12 months to hone those skills and put those tiny mobile processors to work.

[Via heise online]

Read

14 Comments