It’s that time of the year again; that time of the year where news outlets get to indulge in sensationalist headlines about how Mac OS X got hacked in twenty seconds. Yes, CanSecWest just held its Pwn2Own contest again, and they fell like drunk 16-year-olds this time (don’t read too much into that one, please).
Lots of successful cracks this year: Internet Explorer 8 on Windows 7, Firefox 3.6 on Windows 7, iPhone OS 3.0, and Safari 4 on Mac OS X 10.6. Opera didn’t partake, and nobody even attempted to take on Google’s Chrome. Details of all the cracks and exploits will be handed over to the vendors involved; they won’t be made public until patched.
Little is known about the Safari 4 on Mac OS X 10.6 and Firefox 3.6 on Windows 7 cracks. We do know that the Safari one was performed by Charlie Miller, who has now won three Pwn2Own contests in a row. He came to the contest with 20 exploits in hand, which he found using a 5-line Python script, which he will detail tomorrow (oh, that’s today.).
“Tomorrow, I’m going to describe exactly how I found them, so hopefully that means Apple will replicate what I did and they’ll find my 20 [bugs] and probably a lot more,” Miller said, “Hopefully, they’ll keep doing that and improve their mechanisms of finding bugs as opposed to just slapping band-aids every time I send them email about what bug I have.”
We know a little more about the iPhone OS crack. Vincenzo Iozzo from security firm Zynamics and Ralf-Philipp Weinmann, a post-doctoral researcher at the University of Luxembourg, used an exploit in Safari to gain access to the text messages stored on the phone – even those that have been “deleted”. The interesting aspect here is that they managed to evade both the iPhone’s Data Execution Prevention as well as the fact that all code on the iPhone must be signed.
The Internet Explorer 8 on Windows 7 crack has also been detailed a little more. Peter Vreugdenhil, who works for Vreugdenhil Research here in The Netherlands, had to use two exploits to gain code execution on Windows 7, but with that, he managed to evade both Windows 7’s ASLR as well as its DEP – without using any third-party stuff.
It is important to note, however, that neither the IE8 nor the iPhone cracks managed to escape the OS-supplied sandboxes, meaning data could only be read, so they can’t be used to install malware or the like. Still, they can be useful in data theft.