Pwn2Own Day 1: Safari and IE8 First to Fall, Chrome Undefeated
On the day one of Pwn2Own, a hacking contest as part of CanSecWest security conference, three web browsers were put to test. Apple Safari, Microsoft IE8 and Google Chrome. The first browser to be tested was Safari 5.0.3 running on fully-patched Mac OS X 10.6.6. The objective for the hackers was to make these browsers run some arbitrary set of code and also perform actions escaping sandbox.
A French security company VUPEN , was the first one to bag a Mac, as they cracked a 64-bit Safari which performed a disk read-write operation even though it was sandboxed, within 5 secs of visiting the exploit website. This hack was not due to Webkit, the rendering engine in both Safari and Chrome. The details of the hack won’t be available till the Apple is able to release a patch which fixes this security hole. Also its apt to mention here that Apple had released a security patch ahead of competition fixing at most 60 security holes.
Next in the line was 32 bit IE 8 running on 64 bit Windows 7 system. It was beaten by security researcher Stephen Fewer of Harmony Security. Just as with Safari, first contestant hacking it was successful in his attempt. The exploit ran a calculator program, and wrote a file to hard-disk, thus qualifying the criteria of successful hack.
Chrome was the last one to be tested, but the contestant registered for the event failed to show up, and thereby claiming the winning crown for day one. Chrome fixed most of its security holes a day before, with a patch, and which might be the reason why the contestant failed to register.
Chrome was unbeaten last year as it was not hacked even once. Google had to buy its way into this year’s contest with a cash reward of $20000. With the near perfect product, what Google hopes with this contest is, popularity, if not the security fixes. Though, keeping in mind, the last year’s performance, Google can safely bet that, this year too they will come out unscathed.