Safari Pwned in Five Seconds at Pwn2Own
Apple's Safari browser lasted only five seconds against hackers at the Pwn2Own 2011 contest, who compromised it using a fully transparent drive-by download attack.
The 5th annual Pwn2Own competition which places hackers against browsers and mobile devices kicked off yesterday at the CanSecWest security conference in Vancouver.
Most browser makers released patched versions of their products in preparation for the contest, but while Mozilla did it a week in advance and Google three days ago, Apple pushed out Safari 5.0.4 literally minutes before it began.
However, despite the new version fixing a whooping 62 vulnerabilities, the Mac maker could not throw hackers off their game.
French vulnerability research company VUPEN Security tweeted shortly after the release that "this breaks some exploits but not all!"
And they knew what they were talking about, because their representative later hacked the browser in five seconds and took home $15,000.
The successful compromise was achieved on a fully patched 64-bit installation of Mac OS X Snow Leopard running on a 13'' MacBook Air that was part of the prize.
Even more impressive is that it was done via a drive-by download attack that didn't crash the browser and required no user interaction except for opening a specially crafted page.
Furthermore, the exploit had to bypass the Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) OS security measures in order to execute arbitrary code.
VUPEN co-founder Chaouki Bekrar, who performed the hack on behalf of the three-man team that found the vulnerability and created the exploit, told ZDNet that the biggest challenge was the 64-bit architecture due to lack of documentation.
"We had to do everything from scratch. We had to create a debugging tool, create the shellcode and create the ROP [return oriented programming] technique," he explained.
Comments