IE8, Safari, iPhone All Fall At Pwn2Own Contest

SpuriousLogic writes "The annual Pwn2Own contest at CanSecWest is underway, and on the first day Web browsers fell to attack. Internet Explorer 8 and Firefox 3.6.2 on 64-bit Windows 7 and Safari on OS X all were forced to run exploit code. To add insult to injury, an iPhone was cracked and the SMS database lifted from it." Updated 22:40 GMT by timothy: CWmike adds this interesting bit: "The only researcher to three-peat at the Pwn2Own hacking contest said on Thursday that security is such a 'broken record' that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software. Instead Charlie Miller will show the vendors how to find the bugs themselves."

Re:Did they try to crack Opera?

[dingen]

Opera was not one of the targeted browsers. Check out this page [tippingpoint.com] for info and updates on pwn2own.

Re:So 64-bit ASLR on Windows is flawed as well...

[aristotle-dude]

It was already known and acknowledged by Microsoft that their ASLR implementation on 32-bit Windows was rather weak, but apparently the 64-bit version of it can be bypassed as well, as all of the hacks of pwn2own on Windows 7 made use of return-to-libc attacks, which should be impossible on systems with address space layout randomization.

You can corrupt memory on 64-bit windows by just running MSFT's own development tools like VS.NET with resharper plug-in. VS.NET begins to corrupt the address space rather quickly. To run VS.NET with any amount of stability on 64bit windows, you have to run it through a third party wrapper application which patches VS in memory to make it large address space aware and stop the memory fragmentation.

Sandboxing news!

[Anonymous Coward]

"However, neither the Firefox nor the IE 8 exploit could overcome the sandboxing features in Windows 7 Protected Mode."

big, good, relevant, no, yes?

Re:BS without details

[Anonymous Coward]

All of these hacks are real-world drive-by attacks against fully patched machines with default OS mitigations in place (ASLR, DEP, sandboxing).

You get pwn3d if you go to a malicious page, go to a legit page with a malicious banner ad/embedded iframe, get redirected (via malicious WiFi AP) to a malicious page, etc.

This is the third year in a row that Miller did this. He has street cred, so think before you call BS.

I'm not a troll, read the links.

[aristotle-dude]

Whoever modded me a troll obviously did not read the links that I posted. It is a real issue and affected my development environment at work. My 32bit workstation is quite stable but a project that I am working on requires access to copies of production data so we have to do our development on VMs in a separate dev domain and the VM I was given is 64bit to match our target servers. I have useable stability on my VM several hours at a time as long as I run VS 2008 only through that wrapper program and don't kick off the full build script. Eventually, memory corruption problems will bring down either SQL 2008 management studio (has 32bit components) or my wrapped VS 2008 instance. Once the memory is corrupt, I have to reboot the VM.

Re:BS without details

[shutdown -p now]

True, but I thought the point being made was that WebKit affects more than just Safari.

It does. Since WebKit is a library, it will affect everything that uses it. Since it's a standard OS library, any OS X application that might want to render some HTML will probably use it.

Isn't it the core of Firefox these days?

Er... no. Firefox is still Gecko, and they don't plan to change.

And others?

Chrome uses WebKit, but I'm not sure if it actually uses OS-wide WebKit library on OS X, or its own version. I suspect the latter, since, supposedly, they did tweak it quite a bit.

Re:Title misleading?

[Cederic]

Clearly you never visit sites that use Flash or other plugins.

Firefox the browser may not crash often. Firefox the platform does. And when it does, it takes down all my open websites.

I still use it anyway of course - no switching until AdblockPlus (or equivalent) is available for a worthy competitor.

Re:Title misleading?

[Xest]

I too have experienced crashes with Firefox since 3.6, and awful slow downs, in fact, I left it running overnight and locked my computer then came down the next morning to find my computer running slow. I checked task manager and found that Firefox was sat using 1.8gb of RAM, so certainly there seemed to be something screwy with memory management there.

I _think_ the problem is down to handling of some Javascript, when it's crashed it's been loading certain pages, but I can't say for sure. I've always had quite a few tabs open so as to which one might have been the cause I've no idea. I have AdBlock Plus and Firebug installed, as well as the usual Java, Flash and Silverlight plugins, but I've never had any sites using these technologies open when it's happened. I run it on Windows 7 64 bit, which is a fairly clean install, as I've not really installed much since moving to Windows 7, which in itself was a clean install.

Since 3.5 Firefox has become much more sluggish, and since 3.6, much more unstable. It's not a user fault, the software has simply just got worse. Firefox absolutely does have instability issues nowadays, and even when it hasn't crashed I suspect it's not closed properly when I've exited it, because when I've loaded it back up I've seen the "Oops, well this is embarassing" page where it asks if I want to restore my previously opened tabs or start afresh- that's again, not something that can be blamed on the user.

Why are you so sure it's a user problem? Why is his post misleading? I can attest to the fact Firefox absolutely does crash through no real fault of the user, it seems more misleading of you to suggest that Firefox has no instability issues. For what it's worth, the issues don't seem to affect my work laptop which runs Windows XP, but they do affect my secondary home PC which runs XP, so certainly it's not unstable in general- I'm more than happy with it on my work laptop, but it's at the point where it's become such a slow unstable browser back home I'm tempted to just go back to IE or to switch to Chrome. I've not had as many issues with a web browser in terms of performance and stability as I have recent releases of Firefox since older versions of IE like IE5 or the earlier releases of IE6.

Of course browsers don't just "crash on their own", but if they crash in response to a valid user interaction, which Firefox does indeed do, then how is that in any way the user's fault? The GP's got a fairly low UID which suggests he's been using the internet for a fair amount of time, I doubt he's a naive web user, I'm sure when he says his browser crashes it's through no fault of his own, and certainly in my case I know it's through no fault of my own either. I do agree the unstable browser thing is largely a thing of the past, which is why I'm quite suprised that Firefox does have instabilities again, it seems to be a large step backwards- I always figured we were well past that point now.

I love Firefox and support it's goals entirely, in recent years I've always pushed for the rollout of Firefox as the primary browser at companies I've worked at (I've always had that influence as I've been in lead developer roles for bespoke web apps), however I'd not do that right now, I do not currently believe the Firefox platform is reliable enough to put my reputation on pushing for migration to it over anymore, and as things actually seem to be getting worse over the last few releases, rather than better, it's going to take a few versions where things clearly improve before I can honestly go back to having that position. It's not that I don't want to, but I think the Firefox team has lost their way somewhat and needs to take a step back and look at what went wrong.