Apple's Safari among browsers taken down at Pwn2Own day 2

Posted:
in macOS edited March 2015
Safari, Chrome, Firefox, and Internet Explorer were all successfully exploited during the second day of the annual Pwn2Own hacking contest in Vancouver.




South Korean security researcher Jung Hoon Lee toppled Safari with a use-after-free vulnerability, according to Threatpost. Lee was then able to bypass Safari's sandbox thanks to an uninitialized stack pointer, with the combined exploits netting him some $50,000 in prize money.

It seems likely that Lee's use-after-free attack was the catalyst for Tuesday's release of Safari 8.0.4, 7.1.4, and 6.2.4, which brought security fixes to the browser on Yosemite, Mavericks, and Mountain Lion, though that has not been confirmed. Apple said that the updates addressed "multiple memory corruption issues" in WebKit.

Meanwhile, Chrome fell thanks to a buffer overflow condition, Firefox went down after an out-of-bounds read/write vulnerability, and a time-of-check to time-of-use flaw took Internet Explorer out.

The Pwn2Own contest is held every year in conjunction with CanSecWest, an annual information security conference in Vancouver. Researchers often use the venue to disclose new exploits, which are developed for months in advance.

During Pwn2Own, contestants have 30 minutes to exploit browsers using remote code execution. The exploits must run without any input from the user apart from browsing to a maliciously-crafted website.

Successful hacks earn their creators prize money, with those that involve substantial privilege escalation earning even more. Lee won a total of $225,000 in prizes during the two-day competition.

Comments

  • Reply 1 of 19
    foggyhillfoggyhill Posts: 4,767member
    Quote:

    Originally Posted by AppleInsider View Post



    Safari, Chrome, Firefox, and Internet Explorer were all successfully exploited during the second day of the annual Pwn2Own hacking contest in Vancouver.

     





    South Korean security researcher Jung Hoon Lee toppled Safari with a use-after-free vulnerability, according to Threatpost. Lee was then able to bypass Safari's sandbox thanks to an uninitialized stack pointer, with the combined exploits netting him some $50,000 in prize money.



    It seems likely that Lee's use-after-free attack was the catalyst for Tuesday's release of Safari 8.0.4, 7.1.4, and 6.2.4, which brought security fixes to the browser on Yosemite, Mavericks, and Mountain Lion, though that has not been confirmed. Apple said that the updates addressed "multiple memory corruption issues" in WebKit.



    Meanwhile, Chrome fell thanks to a buffer overflow condition, Firefox went down after an out-of-bounds read/write vulnerability, and a time-of-check to time-of-use flaw took Internet Explorer out.



    The Pwn2Own contest is held every year in conjunction with CanSecWest, an annual information security conference in Vancouver. Researchers often use the venue to disclose new exploits, which are developed for months in advance.



    During Pwn2Own, contestants have 30 minutes to exploit browsers using remote code execution. The exploits must run without any input from the user apart from browsing to a maliciously-crafted website.



    Successful hacks earn their creators prize money, with those that involve substantial privilege escalation earning even more. Lee won a total of $225,000 in prizes during the two-day competition.

     

    The funny thing is that those exploits could have been found by others, and used for months. WouldnT be better to have an incentive for them to disclose as fast as possible and receive the prize then. Though, Apple releasing now means its probable they knew in advance.

  • Reply 2 of 19
    linkmanlinkman Posts: 1,046member
    It's clear that I'm in the wrong business. While I'm sure that his exploits were learned after many weeks or months of hard work and possibly with team help, $225,000 is far beyond what I earn in a few years. During my work I run across exploits or bugs in company software by barely even trying!
  • Reply 3 of 19
    sflocalsflocal Posts: 6,123member
    Quote:

    Originally Posted by AppleInsider View Post



    ... Lee won a total of $225,000 in prizes during the two-day competition.



    Quarter-mill for two days?  I'm thinking of going from software development to security-exploits.  There's certainly more money in this.  That being said, it's money well spent if it means it squashes more security bugs.

  • Reply 4 of 19
    sflocalsflocal Posts: 6,123member
    Quote:

    Originally Posted by foggyhill View Post

     

     

    The funny thing is that those exploits could have been found by others, and used for months. WouldnT be better to have an incentive for them to disclose as fast as possible and receive the prize then. Though, Apple releasing now means its probable they knew in advance.




    Must you quote the entire article?

  • Reply 5 of 19
    boredumbboredumb Posts: 1,418member
    Quote:

    Originally Posted by AppleInsider View Post

    Lee won a total of $225,000 in prizes during the two-day competition.

    Let's see...how many ?Watch Edition's is that???

  • Reply 6 of 19
    sflocal wrote: »
    ... Lee won a total of $225,000 in prizes during the two-day competition.


    Quarter-mill for two days?  I'm thinking of going from software development to security-exploits.  There's certainly more money in this.  That being said, it's money well spent if it means it squashes more security bugs.

    I would think that after all these years browsers would be bulletproof. Are browsers being that poorly written with nothing learned in 20 years?
  • Reply 7 of 19
    blazarblazar Posts: 270member
    Apple, hire Lee!
  • Reply 8 of 19
    singularitysingularity Posts: 1,328member
    sflocal wrote: »
    ... Lee won a total of $225,000 in prizes during the two-day competition.


    Quarter-mill for two days?  I'm thinking of going from software development to security-exploits.  There's certainly more money in this.  That being said, it's money well spent if it means it squashes more security bugs.

    I would think that after all these years browsers would be bulletproof. Are browsers being that poorly written with nothing learned in 20 years?
    browsers are so more advanced and do so much more than they did 20 years ago.
  • Reply 9 of 19
    netroxnetrox Posts: 1,486member
    Quote:

    Originally Posted by Macky the Macky View Post





    I would think that after all these years browsers would be bulletproof. Are browsers being that poorly written with nothing learned in 20 years?

    You surely know how complex a web browser is? It has million of code lines and you cannot expect programmers to catch all the bugs and we have backward compatiblity requirements as well. 

  • Reply 10 of 19
    nobodyynobodyy Posts: 377member
    Quote:

    Originally Posted by Macky the Macky View Post





    I would think that after all these years browsers would be bulletproof. Are browsers being that poorly written with nothing learned in 20 years?



    They get more complex with more features and the ever changing subset of the net. These aren't only bugs, though, but sometimes just flaws in the methods used to get it all working. 

     

     

    As an example, there are exploits that work on how bits of information are stored in RAM and focus on "shifting" that data around to make "Random-Ram-Object" be accessible, even though through all developer contexts, that random blip of memory is totally nonexistent or accessible to the browser or tab or even application. 

  • Reply 11 of 19
    calicali Posts: 3,494member
    Apple should hire this guy.
  • Reply 12 of 19
    netrox wrote: »
    You surely know how complex a web browser is? It has million of code lines and you cannot expect programmers to catch all the bugs and we have backward compatiblity requirements as well. 

    700
  • Reply 13 of 19
    paulmjohnsonpaulmjohnson Posts: 1,380member
    Quote:

    Originally Posted by cali View Post



    Apple should hire this guy.



    Someone will be talking to him from one of the big companies.  Question is will they be able to afford him.  The really good hackers make a very good living from bug bounties.  The honest hackers are a good thing all told.

  • Reply 14 of 19
    I think this sort of competition is an excellent idea. It may get people who would normally use these exploits to steal money and identities from a trusting browser user, to use their undoubted skills to expose these exploits publicly.

    I would actually like to see the prize money being raised, and paid for by the companies whose browsers are successfully compromised.
  • Reply 15 of 19
    ecatsecats Posts: 274member
    Quote:

    Originally Posted by Macky the Macky View Post





    I would think that after all these years browsers would be bulletproof. Are browsers being that poorly written with nothing learned in 20 years?



    I'm sure you've been beaten over the head enough over the naivety of your post. But to be fair all web browsers should be labelled "alpha", as the software is constantly in development. This is because the standards are constantly changing. No single web browser fully supports the latest W3C standards and that isn't something I'd ever even expect to happen.

     

    Like any piece of rapidly developing software, bugs happen. There is a reason why they're targeting web browsers and not email clients. This competition sticks its finger at the weakest link for the benefit of all web users.

  • Reply 16 of 19
    welshdogwelshdog Posts: 1,907member

    Yawn. Some browsers were hacked - again. 

  • Reply 17 of 19
    I would think that after all these years browsers would be bulletproof. Are browsers being that poorly written with nothing learned in 20 years?
    browsers are so more advanced and do so much more than they did 20 years ago.

    netrox wrote: »
    You surely know how complex a web browser is? It has million of code lines and you cannot expect programmers to catch all the bugs and we have backward compatiblity requirements as well. 

    nobodyy wrote: »
    They get more complex with more features and the ever changing subset of the net. These aren't only bugs, though, but sometimes just flaws in the methods used to get it all working. 

    As an example, there are exploits that work on how bits of information are stored in RAM and focus on "shifting" that data around to make "Random-Ram-Object" be accessible, even though through all developer contexts, that random blip of memory is totally nonexistent or accessible to the browser or tab or even application. 

    Thanks guys. Appreciate the answers. But... but...Wasn't this supposed to stop with WebKit? All that modular code and still some of the old tired exploits are working again.

    When do the coders stop bolting the "Emergency Seft-Destruct" Button next to the "Lower Landing Gear" Button and still get surprised the whole works blows up now and again??
  • Reply 18 of 19
    MarvinMarvin Posts: 15,448moderator
    ecats wrote: »
    I would think that after all these years browsers would be bulletproof. Are browsers being that poorly written with nothing learned in 20 years?

    I'm sure you've been beaten over the head enough over the naivety of your post. But to be fair all web browsers should be labelled "alpha", as the software is constantly in development. This is because the standards are constantly changing. No single web browser fully supports the latest W3C standards and that isn't something I'd ever even expect to happen.

    Like any piece of rapidly developing software, bugs happen. There is a reason why they're targeting web browsers and not email clients. This competition sticks its finger at the weakest link for the benefit of all web users.

    The exploits listed were "uninitialized stack pointer, buffer overflow condition, out-of-bounds read/write vulnerability, and a time-of-check to time-of-use flaw". It's about time the software development process prevented these by design. The Swift language is designed to prevent some of them but the browser needs fast performance and the webkit codebase is open source and cross-platform so it's in C++. Maybe there can be an intermediate layer between the web content and the C++ code that ensures everything that gets processed by the C++ code is not capable of exploiting vulnerabilities even if they exist. At every entry point to C++ functions, they'd put a Swift process first to quarantine the input to it but Swift wouldn't need to do the heavy processing.
  • Reply 19 of 19
    foggyhillfoggyhill Posts: 4,767member
    Quote:

    Originally Posted by Marvin View Post





    The exploits listed were "uninitialized stack pointer, buffer overflow condition, out-of-bounds read/write vulnerability, and a time-of-check to time-of-use flaw". It's about time the software development process prevented these by design. The Swift language is designed to prevent some of them but the browser needs fast performance and the webkit codebase is open source and cross-platform so it's in C++. Maybe there can be an intermediate layer between the web content and the C++ code that ensures everything that gets processed by the C++ code is not capable of exploiting vulnerabilities even if they exist. At every entry point to C++ functions, they'd put a Swift process first to quarantine the input to it but Swift wouldn't need to do the heavy processing.

     

    Yes, these are old old old old ways of creating exploits, or maybe just dump the browser in a OS sandbox with very narrow access to resources and forget about actually securing it ;-). IF you do that, it greatly complexifies things for the person who is trying to gain access (near impossible really, even for this genius hacker).  Could even use unsecured browsers as honeypots and just let them have external process monitoring the sandbox and sending info about it back to Apple when exploits are attempted :-).

Sign In or Register to comment.