Internet Explorer 9 Falls at Pwn2Own Hacking Contest

[err0r]

First Google Chrome fell, and now Microsoft's Internet Explorer 9 has been exploited.

 

The Microsoft browser on Thursday was taken down at the CanSecWest Pwn2Own hacking competition by a team of hackers with the French research firm Vupen. The hackers exploited two zero-day vulnerabilities, described as a heap overflow bug and a memory corruption flaw, to crack Internet Explorer 9. The hackers were able to run code outside the browser's Protected Mode sandbox, a security feature meant to contain malicious code and prevent it from executing on a system. In doing so, they were able to take control of a fully-patched Windows 7 machine.

 

The code execution attack they developed requires no user interaction beyond browsing to a rigged website, ZDNet reported. It works on old versions of the browser, such as IE 6, all the way up to IE version 10, which is currently only available for consumer preview.

 

"This one was difficult," Vupen co-founder Chaouki Bekrar told ZDNet. "When you have to combine many vulnerabilities and bypass all these protections, it takes a longer time."

 

Representatives from Microsoft were at the event and said they plan to respond to the flaw once receiving information about it by contest organizers, ZDNet said.

 

Pwn2Own, held every year at the CanSecWest security conference in Vancouver, tests hackers to find vulnerabilities in four Web browsersâ€"Microsoft Internet Explorer, Apple Safari, Google Chrome and Mozilla Firefox. The contest is based on a points system, with zero-day exploits against the latest version of a browser awarded 32 points. To win, a team or individual must have demonstrated at least one zero-day.

 

Bekrar said two of his researchers worked full-time for six weeks developing the IE exploit specifically for the contest. On top of that, he said his team had zero-day flaws at the ready for every browser on every operating system.

 

Their preparations appear to have paid off. Vupen on Wednesday started the three-day contest on a high note by hacking into Google Chrome. It was the first time a competitor successfully hacked Chrome during Pwn2Own.

 

Ahead of the Pwn2Own, Google announced that it would dole out a total of $1 million in prize money for successful Chrome hacks, to entice competitors to target the browser and to use the exploits to help bolster the browser's security.

 

Source: PC World