It might be funny if so many of us weren’t dependent on them. Three major browsers and the most popular smartphone in America were all put to the test at the Pwn2Own hacker conference, a white-hat hacker conference titled after Internet slang that seeks to test security of popular products. Well, another bit of Internet slang can best describe how well the security held up: FAIL. eSecurity Planet has the painful details.
Browser vendors have been put on alert this week as security researchers at the Pwn2own competition at the CanSecWest conference in Vancouver successfully exploited Microsoft Internet Explorer 8, Safari, and Firefox. On the mobile side, an iPhone was shown to be exploitable, too.
The Pwn2own event tests fully patched versions of software for vulnerabilities and then rewards researchers with prize money if they’re able to demonstrate an exploit. Among the first browsers to fall was Microsoft’s Internet Explorer 8 running on Windows 7.
Security researcher Peter Vreugdenhil was able to demonstrate an attack that got around Microsoft’s security protections in Windows 7 in order to exploit IE 8. As part of the rules for the Pwn2own event, researchers must keep the specific details of their exploit private so that the contest organizers can hand over the exploit info to the affected vendor.
Vreugdenhil, however, has posted a paper explaining in general terms how he was able to bypass Windows 7 security and exploit IE 8. He noted that he used a two-part exploit in the interest of time, but a one-step exploit might also have been possible.