IE8, Firefox and Safari all taken down on day one of Pwn2Own

IE8, Firefox and Safari all taken down on day one of Pwn2Own
At this week's Pwn2Own hacking contest, the iPhone, Safari, Internet Explorer 8 and Firefox browsers were all taken down within minutes.

Vincenzo Iozzo and Ralf-Philipp Weinmann took down the iPhone browser in under five minutes, and left with $15,000 in prize money. Weinmann is most notorious for being part of a team that cracked WEP Wi-Fi security in 2007, faster than was previously recorded.



Charlie Miller of Independent Security Evaluators took down Safari for the third year in a row, leaving with $10,000 in cash as a prize.

The most impressive exploit came from Peter Vreugdenhil who took down IE8 on Windows 7 by "bypassing the operating system's Data Execution Prevention, or DEP, security mechanism, which is designed to stop most attacks." Vreugdenhil earned the same prize as Miller. German student "Nils" took down Firefox on Windows 7 within minutes as well, earning $10k.

TippingPoint, the company that runs the contest, does not divulge the details of the flaws that are used to exploit the browsers but instead purchases the rights to the exploits and then turns it over to the companies behind the browsers.

The only browser remaining unscathed after day one and day two was Google Chrome.

Written by: Andre Yoskowitz @ 25 Mar 2010 16:47
Advertisement - News comments available below the ad
  • 18 comments

  • Josipher

    Go Chrome!!!
    fanboyish i know but i simply love how fast this thing is ^^

    mods go home

    25.3.2010 16:52 #1

  • Emil (unverified)

    Google is a class act. Look what they are doing in china to support human rights.

    25.3.2010 18:54 #2

  • Run4two

    How much is the knowledge of a good exploit worth to these major companies? It seems the monetary awards aren't close to the value. Are these truly the best exploits out there? One would think the prize should be something outside the box, a 2 yr. minimum contract working in the security and piracy division of these companies at a decent salary.

    25.3.2010 22:12 #3

  • Racem22

    Originally posted by Run4two: How much is the knowledge of a good exploit worth to these major companies? It seems the monetary awards aren't close to the value. Are these truly the best exploits out there? One would think the prize should be something outside the box, a 2 yr. minimum contract working in the security and piracy division of these companies at a decent salary. Well I would say if these guys are cracking IE, firefox, and the iphone they most likely got good enough jobs already but who knows.

    26.3.2010 02:21 #4

  • NeoandGeo

    Originally posted by Josipher: Go Chrome!!!
    fanboyish i know but i simply love how fast this thing is ^^     They are all the same speed on the machines I use. The only difference is add-ons and site compatibility.

    26.3.2010 06:32 #5

  • wealldoit

    So we can assume the fastest and finest Windows browser ever -OPERA- wasn't even in the contest. Why not? Couldn't TippingPoint and Pwn2Own even scratch Opera's paintwork? Or was this 'contest' a glorified commercial for Google Chrome?

    26.3.2010 11:25 #6

  • keith1993

    Originally posted by wealldoit: So we can assume the fastest and finest Windows browser ever -OPERA- wasn't even in the contest. Why not? Couldn't TippingPoint and Pwn2Own even scratch Opera's paintwork? Or was this 'contest' a glorified commercial for Google Chrome? Well seen as Opera only has a 2% market share they probably didn't think it was worth it.

    Good news for Chrome though. I've been using it since the early days and the way it's developed and grown is impressive and a half.



    I could put something funny here but I cant be arsed. Now GO AWAY!

    26.3.2010 16:04 #7

  • ville30

    The reason why Chrome is taking longer is that it is a new browser. The hackers have far more experience dealing with the other browsers whose architecture has changed very little over the years.

    26.3.2010 17:30 #8

  • shaffaaf

    please tell me safari was on a macos




    My MGR (Micro Gaming Rig)
    Intel Q6600 @ 3.05GHz .|. DFI Jr P45-T2RS Micro ATX .|. 4GB (2x2GB) PC2-8500 Geil Black Dragon RAM .|. Samsung F3 1TB HDD .|. Pinoeer DVR-216DBK ODD .|. Silverstone NT-06E CPU cooler (passive) .|. Sapphire 4870 512MB x2 in CrossfireX .|. Silverstone Sugo Micro ATX SG02-F Evolution .|. NorthQ Black Magic 850W PSU .|. 24" 1920x1200 DGM MVA Monitor .|. 24" 1920x1080 Dell TN Monitor .|.

    26.3.2010 22:27 #9

  • blueboy09

    Yikes!! I use Opera alot though, and don't see too much of a problem, with just a few exception to Flash though.

    Life is about walking on thin ice, if you make too much drama, youll crack under pressure. - BLUEBOY

    26.3.2010 22:57 #10

  • KSib

    Hm, cross-reference this article with this one before you get too carried away about Chrome: http://www.neowin.net/news/safari-firefo...e-left-untested

    TL;DR: No one attempted to hack it (Chrome), basically.

    Seeing as how there was a time limit they went for browsers they knew they could hack in a reasonable amount of time. Don't get me wrong, Chrome is freaking sweet, but I felt like you guys needed more information.

    26.3.2010 23:08 #11

  • KillerBug

    I'm sure Chrome is crackable...it runs on windows!

    I wonder who will buy the exploit rights for taking down FireFox on Win7...

    27.3.2010 00:50 #12

  • keith1993

    From the Neowin article
    Quote:There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox.



    I could put something funny here but I cant be arsed. Now GO AWAY!

    27.3.2010 14:45 #13

  • wealldoit

    Originally posted by ville30: The reason why Chrome is taking longer is that it is a new browser. The hackers have far more experience dealing with the other browsers whose architecture has changed very little over the years.

    That's right. But isn't Opera older than Firefox, Safari and most other browsers, let alone Chrome?
    I can only think of IE (1995) and the late great Netscape Navigator (1994) as being slightly older. I'm a little disappointed why it (Opera which first came out in 1996) wasn't involved in this contest..Ah well, no matter...

    29.3.2010 12:23 #14

  • ChappyTTV

    This simply solidifies a well known FACT in all security circles...ALL software is beatable. period.<-(another period)

    I worked in the security industry for a long time, and despite what Nix, Mac or any fanboi will scream for all to hear, they're all exploitable. No code is "secure". It's only secure until it's released to the public and then the holes will begin to appear.

    I always get a laugh at those who yell "MS needs to write secure code!"..LOL! What...those other OS developers have some "magic" code that nobody else knows of or sumthin?? Or have some secret compiler that instantly recognizes a previously unknown exploit before it's released? Get a clue before making idiotic statements like that (which I'm positive are about to come soon).

    2.4.2010 01:21 #15

  • john_swan

    You determine the source code with the most defects then rewrite the code.

    Our software group implemented hundreds of bug fixes and new features but reduced the lines of code in the process. We used static analysis of our source code to find software defects yet to be discovered. We removed source code to support features never released to custommer because project was cancelled while still in engineering. We removed thousands of patches that were never needed because a software engineer did not understand how the microprocessor worked.

    John Swanson

    2.4.2010 02:15 #16

  • ChappyTTV

    Originally posted by john_swan: You determine the source code with the most defects then rewrite the code.

    Our software group implemented hundreds of bug fixes and new features but reduced the lines of code in the process. We used static analysis of our source code to find software defects yet to be discovered. We removed source code to support features never released to custommer because project was cancelled while still in engineering. We removed thousands of patches that were never needed because a software engineer did not understand how the microprocessor worked.     And that is exactly what every programmer (group) does, including those at MS. It's still an impossibility to release completely secure code, and you know that to be true if you work(ed) for a s'ware group. Sure there are ways to test the code and eliminate extraneous or wobbly code, but you can never close holes that are yet to be discovered. As long as code is written, it can, and Will be broken.
    Also the more complex the code, the more opportunity for exploits to be found, and Win-dOhs is about as complex as it gets. I'm a coder too, and I just can't wrap my brain around just how much work goes into that OS..wow.
    No...I just find it funny how much it shows a lack of understanding when people make those types of statements they do against MS for any new exploits that are found. I'm no MS cheerleader about their business model at times, but I (and I know you do too John ;) ) also realize just what the reality of building something so vastly complex as W7 is, and how much they've done to advance computing in general.

    Happy Easter!

    4.4.2010 16:42 #17

  • john_swan

    Will someone at MS please tell us why our computers become non-responsive for several minutes at random intervals. Someday can you imagine that your brakes go offline for several minutes while the computer reboots following a software update.

    4.4.2010 17:57 #18

© 2024 AfterDawn Oy

Hosted by
Powered by UpCloud