The big excitement at the popular CanSecWest Applied Security Conference in Vancouver, British Columbia, Canada is the Pwn2Own events. The take-downs, so far, from ZDNet:
- Pwn2Own 2010: iPhone hacked, SMS database hijacked
- Pwn2Own MacBook attack: Charlie Miller hacks Safari again
- Hacker exploits IE8 on Windows 7 to win Pwn2Own
Ryan Narine posted on Twitter that "Nils" took down Firefox, also on a Windows 7.
Here's the Firefox report:
Pwn2Own hack topples Firefox on Windows
Microsoft's response to the IE8 take-down:
Protecting Browsers with Defense In Depth Techniques - Windows Security Blog - The Windows Blog
In particular note the bolded part from the quote below. IOW, there will continue to be new exploits and all we can do is keep our defenses up.
Recently, there has been some news from some security researchers about how they've managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well). But like the fire-proof safe example above, defense in depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability. Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms.
Mozilla released Firefox version 3.6.3 to fix the vulnerability Nils used at CanSecWest.
Release Notes
Security Advisory
Title: Re-use of freed object due to scope confusion
Impact: Critical
Announced: April 1, 2010
Reporter: Nils (MWR InfoSecurity)
Products: Firefox
Fixed in: Firefox 3.6.3
Description
A memory corruption flaw leading to code execution was reported by security researcher Nils of MWR InfoSecurity during the 2010 Pwn2Own contest sponsored by TippingPoint's Zero Day Initiative. By moving DOM nodes between documents Nils found a case where the moved node incorrectly retained its old scope. If garbage collection could be triggered at the right time then Firefox would later use this freed object.
Note: The contest winning exploit only affects Firefox 3.6 and not earlier versions. We will be patching Firefox 3.5 in an upcoming release just in case there is an alternate way of triggering the bug.
It took Apple a while to patch the Pwn2Own bug -- although they were considerably faster this year at 21 days as compared to 55 last year.More at the source: Apple patches Pwn2Own bug - Computerworld
Today, Miller confirmed that the vulnerability Apple patched was the one he used last month to earn a $10,000 prize. "That must be it," he said. "I haven't given them any other bugs."
In fact, Miller refused to divulge additional bugs he'd found in Apple's operating system during the conference, instead giving a presentation on how he used "dumb fuzzing" techniques to uncover more than 20 exploitable vulnerabilities in Adobe, Apple and Microsoft software. During the presentation, Miller argued that security is a "broken record," and said that it was more effective in the long run to simply show the companies how to replicate his work.
"What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing," Miller said in a March interview. That, he maintained, would result in more secure software.
10 Lessons From The Pwn2Own Hacker Contest
the crux:
1.Dedicated Attackers Will Always Win
2.Google Chrome Survives: Most Secure? Nope
3.ASLR + DEP Bypass Puts Hackers Ahead
4.Despite Hack, IE 8 Most Protected Browser
5.iPhone Sandbox Model Not Enough
6.Apple Safari Still Easiest to Hack
7.Monetary Value of Vulnerabilities Still High
8.Mozilla Falls Short on Firefox ASLR Implementation
9.Respect The Fuzzer
10.Apple Desperately Needs an SDL Program
Quote