In the Pwn2Own hacking contest at the CanSecWest security conference in Vancouver, Canada, security researchers and hackers quickly hacked three of the major browsers to take control of the underline operating systems.
— A German hacker who goes by the handle “Nils” used a previously unknown vulnerability in Mozilla’s Firefox to gain control of a 64-bit Windows 7 machine.
— Peter Vreugdenhil an independent researcher from the Netherlands, used several vulnerabilities in Internet Explorer to take control of a machine running a patched 64-bit Windows 7 implementation.
— Researcher Charlie Miller used a vulnerability in the Safari browser to take control of a Mac Book.
The winners of the contest get cash prizes and get to keep the machines they hack.
TippingPoint’s Zero Day Initiative, which sponsored the contest, owns the rights to the hacks and will present the details to Mozilla, Microsoft and Apple so those company can issue patches before details are made public.
TippingPoint has put up $100,000 in prizes for the contest. This is its fourth year.
PCWorld story here.
More details in Computerworld story here.
This is a very high-profile event that helps focus the world’s attention on security vulnerabilities without anyone losing their banking logins, credit card numbers or account balance. The big lesson this year is that all browsers have vulnerabilities that can be exploited by malicious web sites and are often the way in to an operating system. Web users would be well advised to keep alert for updates no matter which one they use.
Various commentators are foaming at the mouth about Windows 7 weaknesses (“a FULLY PATCHED 64 bit Windows 7 installation!”), a Mac being hacked (“see, enterprises shouldn’t rely on the security of OS X!”) and the fact that Ubuntu Linux was NOT hacked (“aw, they just didn’t give them enough time!”)
It’s a passion thing: love me, love my OS.