IE8, Safari, iPhone All Fall At Pwn2Own Contest 223
SpuriousLogic writes "The annual Pwn2Own contest at CanSecWest is underway, and on the first day Web browsers fell to attack. Internet Explorer 8 and Firefox 3.6.2 on 64-bit Windows 7 and Safari on OS X all were forced to run exploit code. To add insult to injury, an iPhone was cracked and the SMS database lifted from it."
Updated 22:40 GMT by timothy: CWmike adds this interesting bit: "The only researcher to three-peat at the Pwn2Own hacking contest said on Thursday that security is such a 'broken record' that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software. Instead Charlie Miller will show the vendors how to find the bugs themselves."
Google Chrome (Score:3, Interesting)
Publishing methods. (Score:1, Interesting)
I find it interesting that the IE exploit was published for the world to see, but the Mac and Firefox hacks have been held back.
Re:On the other hand... (Score:2, Interesting)
Wow. Just wow. You realize that in any engineering discipline other than software "engineering", that attitude could quite literally leave you facing charges of criminal negligence in court? You follow best practices, you use the established procedures to avoid failure, you *do the work that has to be done* or you are legally liable when it fails.
Re:So 64-bit ASLR on Windows is flawed as well... (Score:5, Interesting)
VS has never done this for me. Which version of Visual Studio are you talking about? Really VS.NET? Because that's 7 years old AFAIK.
VS 2008 is a 32bit application and it is not even large address space aware so when it is running inside of WOW (windows on windows) in 64bit Server 2008 R2, you will get memory fragmentation fairly quickly because of memory allocation bugs within the Wow subsystem of the 64bit version of any MSFT OS. As Sir_Lewk points out, any 32bit application can cause this problem. The less memory you have, they faster you will notice it.
See this page for information on the problem:
http://stevenharman.net/blog/archive/2008/04/29/hacking-visual-studio-to-use-more-than-2gigabytes-of-memory.aspx [stevenharman.net]
Here is a fix for the problem:
http://confluence.jetbrains.net/display/ReSharper/OutOfMemoryException+Fix [jetbrains.net]
Other OSes like OS X and linux do not seem to have these sort of problems. I am able to run 64bit apps in Snow Leopard while running in 32bit kernel mode for driver compatibility. Not only does windows not run 32bit apps properly in 64bit mode but it cannot run 64bit apps in 32bit mode and the 64bit version is a completely separate build of the OS.
Re:BS without details (Score:3, Interesting)
From your explanation the issue is then with WebKit and not OS X.
WebKit ships in the box that says "OS X" on it.
(by the same token, IE exploits are counted as Windows security issues - and rightly so)
Re:Misleading; no credibility (Score:1, Interesting)
http://www.downloadsquad.com/2010/03/25/pwn2own-2010-google-chrome-is-the-last-man-standing/
Quote by Miller:
"There are bugs in Chrome but they're very hard to exploit. I have a Chrome vulnerability right now but I don't know how to exploit it. It's really hard. They've got that sandbox model that's hard to get out of. With Chrome, it's a combination of things - you can't execute on the heap, the OS protections in Windows and the Sandbox."
Re:Holy Shit (Score:3, Interesting)
No, really, guys, is it something that can be taught? Or is it more like having the knack for programming in the first place? Like having the cleverness to come up with certain algorithms? If you can describe it well enough that you end up with something ... that ... can ... I bet ... you end up with a program? Um, Purify? Valgrind? I'm not a programmer, but I think those only go so far, right? So we don't have the knowledge in question codified, I bet, so I suppose there may also be some challenge in trying to train others in it.
Ah, I'm a dumbass and should just RTFA. Sorry.
Okay.
Dumb fuzzing? Is that what I think it is? And, so the vendors are dumb fuzzing but not as successfully as he? Hm. Maybe it's just a matter of giving some pointers. I imagine withholding the bugs will get the vendors' attentions. I love how this is a David -> Goliath spanking.
Look, I found a virtual Wikipedia article on dumb fuzzing, but it wasn't at Wikipedia. It was at one of those homegrown security outfits. [krakowlabs.com] ("Fuzzing for Fun and Profit", Jeremy Brown (rush).)
Re:Please elaborate (Score:4, Interesting)
Sorry about that. I've really made a confusing comment.
What I meant was that Linux wasn't necessarily safe, it was just a much harder target than Windows. Why? Because there were plenty of working exploits in the wild for Windows, yet all we had were a list of exploits for Linux that needed to be coded.
So Windows proved to be the "softer" target just because of time saved. Linux wasn't necessarily "safer" because we had the RedHat bulletins in hand and could have taken advantage of them but didn't because it would have required more time per point scored when compared to Windows. Why work hard to gain fewer points? The scoring didn't factor difficulty in that first year. I don't even know if they do now.
Unlike Pwn2Own, Digital Combat Exercise (love it when the Army gets involved) did not disclose the network layout. So we had to map it, and exploit it in 2 hours. This made it more of a race than to demonstrate security hardness of an OS. If anything, it more of a demonstration on the importance of a qualified IT staff.
Anyway, the only thing that prevented Linux from being exploited that first year was laziness (and lack of time) on our part. We assumed Linux was hard to exploit, so we didn't bother. The following year the team didn't have that assumption and took advantage of some machines that didn't have up-to-date patches.
Hope that clears up the confusion a little.