Apple's Safari among browsers taken down at Pwn2Own day 2
Safari, Chrome, Firefox, and Internet Explorer were all successfully exploited during the second day of the annual Pwn2Own hacking contest in Vancouver.
South Korean security researcher Jung Hoon Lee toppled Safari with a use-after-free vulnerability, according to Threatpost. Lee was then able to bypass Safari's sandbox thanks to an uninitialized stack pointer, with the combined exploits netting him some $50,000 in prize money.
It seems likely that Lee's use-after-free attack was the catalyst for Tuesday's release of Safari 8.0.4, 7.1.4, and 6.2.4, which brought security fixes to the browser on Yosemite, Mavericks, and Mountain Lion, though that has not been confirmed. Apple said that the updates addressed "multiple memory corruption issues" in WebKit.
Meanwhile, Chrome fell thanks to a buffer overflow condition, Firefox went down after an out-of-bounds read/write vulnerability, and a time-of-check to time-of-use flaw took Internet Explorer out.
The Pwn2Own contest is held every year in conjunction with CanSecWest, an annual information security conference in Vancouver. Researchers often use the venue to disclose new exploits, which are developed for months in advance.
During Pwn2Own, contestants have 30 minutes to exploit browsers using remote code execution. The exploits must run without any input from the user apart from browsing to a maliciously-crafted website.
Successful hacks earn their creators prize money, with those that involve substantial privilege escalation earning even more. Lee won a total of $225,000 in prizes during the two-day competition.
South Korean security researcher Jung Hoon Lee toppled Safari with a use-after-free vulnerability, according to Threatpost. Lee was then able to bypass Safari's sandbox thanks to an uninitialized stack pointer, with the combined exploits netting him some $50,000 in prize money.
It seems likely that Lee's use-after-free attack was the catalyst for Tuesday's release of Safari 8.0.4, 7.1.4, and 6.2.4, which brought security fixes to the browser on Yosemite, Mavericks, and Mountain Lion, though that has not been confirmed. Apple said that the updates addressed "multiple memory corruption issues" in WebKit.
Meanwhile, Chrome fell thanks to a buffer overflow condition, Firefox went down after an out-of-bounds read/write vulnerability, and a time-of-check to time-of-use flaw took Internet Explorer out.
The Pwn2Own contest is held every year in conjunction with CanSecWest, an annual information security conference in Vancouver. Researchers often use the venue to disclose new exploits, which are developed for months in advance.
During Pwn2Own, contestants have 30 minutes to exploit browsers using remote code execution. The exploits must run without any input from the user apart from browsing to a maliciously-crafted website.
Successful hacks earn their creators prize money, with those that involve substantial privilege escalation earning even more. Lee won a total of $225,000 in prizes during the two-day competition.
Comments
Safari, Chrome, Firefox, and Internet Explorer were all successfully exploited during the second day of the annual Pwn2Own hacking contest in Vancouver.
South Korean security researcher Jung Hoon Lee toppled Safari with a use-after-free vulnerability, according to Threatpost. Lee was then able to bypass Safari's sandbox thanks to an uninitialized stack pointer, with the combined exploits netting him some $50,000 in prize money.
It seems likely that Lee's use-after-free attack was the catalyst for Tuesday's release of Safari 8.0.4, 7.1.4, and 6.2.4, which brought security fixes to the browser on Yosemite, Mavericks, and Mountain Lion, though that has not been confirmed. Apple said that the updates addressed "multiple memory corruption issues" in WebKit.
Meanwhile, Chrome fell thanks to a buffer overflow condition, Firefox went down after an out-of-bounds read/write vulnerability, and a time-of-check to time-of-use flaw took Internet Explorer out.
The Pwn2Own contest is held every year in conjunction with CanSecWest, an annual information security conference in Vancouver. Researchers often use the venue to disclose new exploits, which are developed for months in advance.
During Pwn2Own, contestants have 30 minutes to exploit browsers using remote code execution. The exploits must run without any input from the user apart from browsing to a maliciously-crafted website.
Successful hacks earn their creators prize money, with those that involve substantial privilege escalation earning even more. Lee won a total of $225,000 in prizes during the two-day competition.
The funny thing is that those exploits could have been found by others, and used for months. WouldnT be better to have an incentive for them to disclose as fast as possible and receive the prize then. Though, Apple releasing now means its probable they knew in advance.
... Lee won a total of $225,000 in prizes during the two-day competition.
Quarter-mill for two days? I'm thinking of going from software development to security-exploits. There's certainly more money in this. That being said, it's money well spent if it means it squashes more security bugs.
The funny thing is that those exploits could have been found by others, and used for months. WouldnT be better to have an incentive for them to disclose as fast as possible and receive the prize then. Though, Apple releasing now means its probable they knew in advance.
Must you quote the entire article?
Lee won a total of $225,000 in prizes during the two-day competition.
Let's see...how many ?Watch Edition's is that???
I would think that after all these years browsers would be bulletproof. Are browsers being that poorly written with nothing learned in 20 years?
I would think that after all these years browsers would be bulletproof. Are browsers being that poorly written with nothing learned in 20 years?
You surely know how complex a web browser is? It has million of code lines and you cannot expect programmers to catch all the bugs and we have backward compatiblity requirements as well.
I would think that after all these years browsers would be bulletproof. Are browsers being that poorly written with nothing learned in 20 years?
They get more complex with more features and the ever changing subset of the net. These aren't only bugs, though, but sometimes just flaws in the methods used to get it all working.
As an example, there are exploits that work on how bits of information are stored in RAM and focus on "shifting" that data around to make "Random-Ram-Object" be accessible, even though through all developer contexts, that random blip of memory is totally nonexistent or accessible to the browser or tab or even application.
Apple should hire this guy.
Someone will be talking to him from one of the big companies. Question is will they be able to afford him. The really good hackers make a very good living from bug bounties. The honest hackers are a good thing all told.
I would actually like to see the prize money being raised, and paid for by the companies whose browsers are successfully compromised.
I would think that after all these years browsers would be bulletproof. Are browsers being that poorly written with nothing learned in 20 years?
I'm sure you've been beaten over the head enough over the naivety of your post. But to be fair all web browsers should be labelled "alpha", as the software is constantly in development. This is because the standards are constantly changing. No single web browser fully supports the latest W3C standards and that isn't something I'd ever even expect to happen.
Like any piece of rapidly developing software, bugs happen. There is a reason why they're targeting web browsers and not email clients. This competition sticks its finger at the weakest link for the benefit of all web users.
Yawn. Some browsers were hacked - again.
Thanks guys. Appreciate the answers. But... but...Wasn't this supposed to stop with WebKit? All that modular code and still some of the old tired exploits are working again.
When do the coders stop bolting the "Emergency Seft-Destruct" Button next to the "Lower Landing Gear" Button and still get surprised the whole works blows up now and again??
The exploits listed were "uninitialized stack pointer, buffer overflow condition, out-of-bounds read/write vulnerability, and a time-of-check to time-of-use flaw". It's about time the software development process prevented these by design. The Swift language is designed to prevent some of them but the browser needs fast performance and the webkit codebase is open source and cross-platform so it's in C++. Maybe there can be an intermediate layer between the web content and the C++ code that ensures everything that gets processed by the C++ code is not capable of exploiting vulnerabilities even if they exist. At every entry point to C++ functions, they'd put a Swift process first to quarantine the input to it but Swift wouldn't need to do the heavy processing.
The exploits listed were "uninitialized stack pointer, buffer overflow condition, out-of-bounds read/write vulnerability, and a time-of-check to time-of-use flaw". It's about time the software development process prevented these by design. The Swift language is designed to prevent some of them but the browser needs fast performance and the webkit codebase is open source and cross-platform so it's in C++. Maybe there can be an intermediate layer between the web content and the C++ code that ensures everything that gets processed by the C++ code is not capable of exploiting vulnerabilities even if they exist. At every entry point to C++ functions, they'd put a Swift process first to quarantine the input to it but Swift wouldn't need to do the heavy processing.
Yes, these are old old old old ways of creating exploits, or maybe just dump the browser in a OS sandbox with very narrow access to resources and forget about actually securing it ;-). IF you do that, it greatly complexifies things for the person who is trying to gain access (near impossible really, even for this genius hacker). Could even use unsecured browsers as honeypots and just let them have external process monitoring the sandbox and sending info about it back to Apple when exploits are attempted :-).