Safari, IE 8 and Firefox hit by Zero-Day at PWN2OWN

From the ‘I’m glad these are the good guys” files:

Apple Safari was hacked in under 2 minutes yesterday by way of a zero day exploit that has yet to be patched (or released into the wild). IE8 and Firefox were also taken down by zero day exploits. It was all part of the fun at the third annual PWN2OWN contest which kicked off yesterday (check out my story from yesterday on the PWN2OWN contest kickoff).

Security research Charlie Miller, once again targeted Safari (he won last year) and demonstrated how he could hack Safari in under 2 minutes. Miller wasn’t the only one hacking Safari at PWN2OWN, a security researcher who identified himself only as ‘Nils’, used a different exploit to bring Safari to its knees as well.

Nils also defeated Microsoft’s IE8 browser.

“With a little
tweaking, he ran a sleek exploit against IE,, defying Microsoft’s
latest built in protection technologies, ” Terri Forslof, manager of security response at TippingPoint DVLabs blogged.

Nils also managed to defeat Firefox 3.x with a zero day as well. In total Nils was awarded $15,000 by PWN2OWN for his hacking prowess.

The PWN2OWN contest winner are under a non-disclosure agreement to not publicly discuss their vulnerabilities until the vendors can patch them — which is a very good thing.

What Nils was able to demonstrate, is that the three major browsers are all at risk (perhaps from a similar attack vector). If that knowledge were out in the wild that could lead to chaos, as no browser would be safe from attack.

What PWN2OWN and TippingPoint are doing is the responsible thing, they’re passing the vulnerabilities off to the affected vendors so they can be fixed (hopefully) before the bad hackers exploit them in the wild.