Russian university student Sergey Glazunov was able to hack into a secure Windows 7 machine using a remote code execution exploit in Google’s Chrome web browser in five minutes, ZDNet reported Wednesday. The exploit was found during CanSecWest’s Pwnium hacker contest, a competition similar to the popular Pwn2Own contest. Google offered a total of $1 million dollar in prize money to hackers who could exploit the company’s Chrome web browser. Glazunov was rewarded $60,000 for his exploit, which found a way around Chrome’s sandbox using vulnerabilities in the extension system. “It didn’t break out of the sandbox [but] it avoided the sandbox,” said Justin Schuh, a member of the Chrome security team. “It was an impressive exploit. It required a deep understanding of how Chrome works. This is not a trivial thing to do.” At Pwn2Own, the VUPEN team was able to hack all four major browsers — Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox — with Chrome, which was hacked within five minutes, being the first to fall. This is the first time in four years at the competition that Google’s web browser has been hacked. The company is already working on an update that will fix the vulnerabilities uncovered at Pwnium and Pwn2Own. More →
Add Apple’s iOS and Research In Motion’s BlackBerry OS to the list of victims at this year’s Pwn2Own challenge. Conference veteran Charlie Miller, along with Dion Blazakis, deployed an exploit to iOS 4.2.1 through a vulnerability in Safari. By navigating to a custom-made webpage, the duo were able to execute remote code and gain access to the iOS address book. Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann also utilized a WebKit-based vulnerability to take down a BlackBerry Torch running BlackBerry OS 220.127.116.11. The three researchers noted that the exploit used on the BlackBerry’s mobile OS was difficult to craft due to the lack of documentation, software tools, and resources available. They also noted that most of the operating systems security was achieved via obscurity, and stated that the company was “way behind the iPhone at the moment, from a security perspective.” No conference participants have yet to challenge Google’s Android or Microsoft’s Windows Phone 7 operating systems. More →
Safari just got served. At this year’s Pwn2Own conference, security firms and enthusiasts are doing their very best to discover and deploy exploits to some of the world’s most popular browsers. Chrome, Firefox, Internet Explorer, and Safari, they’re all on the menu for conference attendees and some have definitely faired better than others. Google issued a challenge, promising $20,000 to any person or team that could crack Chrome on the conferences opening day, but the two teams scheduled to take a swing backed down. Firefox is, for the time being, still standing, and, per usual, Microsoft’s Internet Explorer was taken down without much fuss. But which browser faired the worst? That would be Apple’s Safari. A French security research firm named Vulpen managed to break into Safari running on a MacBook Air in a cool five seconds. The company noted that the Safari update issued by Apple yesterday — version 5.0.4 — fixes some of the vulnerabilities, but not all. The takedown of Safari 5.0.3 used exploits that are still available in the updated code base. Go ahead Apple detractors, have a little fun in the comments section. More →
Smartphones might have proved to be a tough nut to crack at last year’s CanSecWest Pwn2Own, but the same cannot be said for 2010 as two European hackers were able to gain control of a stock iPhone’s SMS database. The hack, which takes 20 seconds to execute by having the iPhone visit an infected website, allows its SMS messages — including those which had been deleted — to be uploaded to a predetermined server. If that’s not enough to make paranoid iPhone users soil their pants, the same exploit is also said to be able to access to a user’s address book, emails, photos and music all without leaving the iPhone sandbox. Naturally these sort of hacking developments are a bit frightening, but the good news is the hackers will hand their findings to Apple and keep mum on specifics while the Cupertino company does a bit of spackling with its iPhone OS. More →
Hackers taking part in a friendly competition aimed at highlighting OS and software vulnerabilities did some real damage to a variety of computer-based web browsers — including Safari, which took all of 10 seconds to bust on a MacBook — but where smartphones are concerned, the hackers were stumped. The competition took place at CanSecWest in Vancouver, Canada and big cash prizes were up for grabs. In fact, each successful execution of an attack on a smartphone was worth a cool $10,000. Apparently the closest someone came however, was a BlackBerry Bold exploit attempt that failed despite reportedly having worked on a Storm in the past. There was also an exploit performed on Safari for Mac that is thought to work on the iPhone as well but the iPhone hack was not attempted; the rules of the contest stated that each exploit could be used only once. In the end, not a single contestant was able to crack a smartphone during the two-day hackathon. Good news though, hackers, as CanSecWest and ZDI have already stated that smartphones will be included once again in next year’s competition. That gives you about 12 months to hone those skills and put those tiny mobile processors to work.
[Via heise online]