Safari And Internet Explorer, First To Fall In Pwn2Own

The Pwn2Own contest, reported earlier by SecurityProNews, has taken place this week and two web browsers have already fallen.According to a ComputerWorld report, Apple's Safari fell to a french security company, the hack only took five seconds to implement.

The team which hacked Safari was able to walk home with a $15,000 cash prize and the MacBook Air they performed the hack on. What makes the hack impressive is Apple released asecurity update for the browser which fixed 64 security flaws.

While the Safari hack was done quickly, many have been greatly impressed by the Internet Explorer exploit. Instead of a company, the IE8 hack was developed by a single person, Stephen Fewer. He's an independent researcher who caught the eye of Aaron Portnoy, one of the TippingPoint's team, the group who put the Pwn2Own contest together.

Fewer had to use a few vulnerabilities to successfully hack IE8 on Windows 7. Here's what Portnoy said of the hack, "The most impressive so far" he continues, "He used three vulnerabilities to [not only] bypass ASLR and DEP, but also escape Protected Mode. That's something we've not seen at Pwn2Own before."

While Safari and IE8 have been hacked, Chrome has remained safe. No one has attempted to hack the browser, so their $20,000 prize is safe. The purse was only available to those who hacked the browser on the first day of the content. If anyone is able to successfully hack the browser now or later on, they will receive $10,000 from Google and $10,000 more from TippingPoint.

Pwn2Own has two more days before all is said and done, which will see hackers make their attempts at Mozilla Firefox, and the four smartphone operating systems: Apple iOS, Google Android, Microsoft Windows 7, and RIM' Blackberry.

Pwn2Own Contest Pays Hackers To Exploit Firefox, Internet Explorer, And Google Chrome

Pwn2Own is a contest put together which pits hackers against the major web browsers. Their goal is to successfully exploit the browsers and find bugs which allow for these hacks. The hackers aren't just doing this to be nice either, there's a prize pool worth $125,000. Cash, laptops, and desktops will all be available to win.

The contest features all the major browsers (Firefox, Internet Explorer, Safari, and Chrome), and will be functioning on both Windows 7 PC's and Mac OS X machines. The contest is hosted by TippingPoint, a research organization who works to provide protection against system vulnerabilities.

There are a couple of new additions to the contest, both of which will pay prize money. First, there will be a mobile hacking event. This will pit researchers against the likes of Apple's iOS, Google Android, Microsoft's Windows 7 Phone, and RIM's Blackberry OS.

The news which is really drawing attention to the event is Google Chrome joining in on the action. Not only are they participating, but they're ponying up their own dough to award the hackers. $20,000 will go to the hacker who can find an exploit in Google Chrome first.

Google has been very confident in their belief that Chrome cannot be hacked. This is due to their using of a 'sandbox' anti-exploit defense. This type of defense isolates a program from other system processes, and requires hackers to take an additional step to truly perform a successful breach.

Only on the first day will Google be providing their $20,000 prize. This is due to the fact that on the first day only the browsers themselves will be available to the contestants. On the second and third day, they are allowed to utilize system bugs on the operating systems to perform their hacks. For the last two days Google will still provide a $10,000 award, which will be matched by Tipping Point. So no matter what day a hacker might successfully exploit Chrome, they'll still receive $20,000.

This is the contest's fifth running, and the award money has never been higher. The contest itself is about helping the browser developers better implement security strategies that keep malicious hackers from fulfilling their exploits.

Behavior of Safari on the iPhone could benefit scammers

A behavior of the Safari browser on the iPhone could be used by phishers and scammers to fool users into believing they have landed on a legitimate site, says Nitesh Dhanjani.

In short, it allows scammers to display a fake URL bar and hide the real one. Users accessing websites from their computers are not in jeopardy, since all popular web browsers do not allow websites to modify in any way the text in the address bar or to hide the address bar itself.


There are two mitigating circumstances that allow alert users to spot the trick:

• While the page loads, the real address bar is visible
• When the page is rendered, the real address bar is visible if the user scrolls up.

Dhanjani set up a proof of concept demo page (http://www.dhanjani.com/ios-safari-ui-spoofing/) where you can surf to with your iPhone to witness that behavior for yourself.

He says that he notified Apple about the issue, but that they could not say when it will be addressed.

Safari's AutoFill reveals personal information

A feature of Apple's Safari browser can be used by hackers to harvest personal information, says Jeremiah Grossman, founder and CTO of WhiteHat Security, in his recent blog post.

The feature in question is the AutoFill, and it automatically fills the text fields of forms in HTML pages with information such as name, address (city, state, country), company, email address, etc.

Unfortunately, this feature is enabled by default and pull this information from the local operating system address book - not from previously entered data that the browser "remembered" from when you entered it on a different website.

"All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript," says Grossman. "When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker."

The only information that the feature - for some reason - doesn't automatically fill is the data starting with a number (phone number, street addresses) - so, yes, it could be worse.

"Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it’s not exploit code designed to deliver rootkit payload," says Grossman. "In fact, there is no guarantee this has not already taken place."

He goes on to say that he contacted Apple with this information a little over a month ago, but has still received no reply from them other than an auto-response message. Until a fix is issued, he recommends to Safari users to disable the feature (Preferences > AutoFill > AutoFill web forms).

20 critical Apple vulnerabilities to be revealed

Just because you're an Apple Mac user, doesn't mean you're safe from the clutches of software exploits.

Charlie Miller, the security researcher renowned for hacking Apple products during many a hacking competition, will be making public (at the CanSecWest security conference later this month) his latest research through which - he claims - he was able to find some 30 critical flaws in commonly used software.

Having hacked in the past the MacBook Air and the Safari browser, he might seem bent of making Apple look bad, but his research encompassed testing of software form different vendors: Adobe Reader, Apple Preview, Microsoft PowerPoint and Oracle's OpenOffice.

Using a simple Python script in order to fuzz test the applications, he discovered more than a 1000 ways to crash them. Of that number, 30 bugs allowed him to hijack the programs. And of those 30, 20 were found in Apple's Preview.

He says that he was surprised to find so many bugs, since the only thing required for this kind of testing is some knowledge and a lot of patience - the script was running on the programs for 3 weeks. “It’s shocking that Apple didn’t do this first,” said Miller in an interview with Forbes.

The results are even more surprising when one considers that Adobe Reader was also tested. One of Adobe's most widely used software, Reader is considered to be one of the most flawed applications out there and its vulnerabilities are regularly exploited by cyber criminals.

Miller is still considering what to do with his discovery. He still hasn't revealed the details of the bugs to Apple or to the other vendors, and is thinking about not doing it at all, but keeping them secret and checking occasionally if they have been fixed.

This way, we could all definitely know which vendors are serious about security - and which are not.

IE8, iPhone will fall first day of hacking contest, predicts organizer

Microsoft's Internet Explorer 8, not Apple's Safari, will be the first browser to fall in next week's Pwn2Own hacking challenge, the contest organizer said today.

Aaron Portnoy, security research team lead with 3Com TippingPoint, the sponsor of Pwn2Own, also predicted that Apple's iPhone will be the only smartphone hacked during the contest, which starts March 24.

Researchers will compete for $100,000 in cash prizes next week at CanSecWest, the Vancouver, British Columbia, security conference that has been the home of Pwn2Own. The dual-track contest -- one for browsers, the other for mobile operating systems -- will pit hackers against the latest versions of Chrome, Firefox, Internet Explorer (IE) and Safari running on Windows 7 or Mac OS X. The smartphone track will set hackers against Apple's iPhone 3GS, a Blackberry Bold 9700, a Nokia phone running the Symbian S60 platform and a Motorola, most likely a Droid, powered by Google's Android.

So, who do you think are the contenders for surviving this hacking challenge?

Read full report here and updates of the event here.

MSFT, Adobe and Apple patch together

Three major software companies issued updates this week, with Microsoft fixing 31 vulnerabilities in its operating system and applications, Adobe patching more than a dozen issues in its document reader software, and Apple closing over 50 serious security holes in its Safari browser.

With ten patches, Microsoft fixed more than two dozen flaws, including ten vulnerabilities voided by a trio of patches. The flaws are rated Critical by Microsoft only for Office 2000 and rated Important for other versions of the productivity program. Perhaps the most serious vulnerabilities fixed by the software giant are seven security issues in the company's flagship browser, Internet Explorer 8, said Andrew Storms, director of security operations for network protection firm nCircle.

"Topping this month's moderately large release cycle from Microsoft is the critical IE update that affects even Microsoft's latest and most secure browser, IE 8," Storms said in a statement sent to SecurityFocus. "Client side, browser based vulnerabilities continue to top the charts for threats, so every user should put this patch at the top of their 'install immediately' list."

In its first quarterly patch, Adobe shuttered 13 security holes in Adobe Acrobat and Reader. The quarterly patch, which Adobe announced last month, is scheduled to fall on the same day as Microsoft's Patch Tuesday. Some of the flaws could allow an attacker to run code on the vulnerable system, while others appear to only be denial-of-service issues.

Adobe still needs to work out the kinks in its quarterly patch process, Storms said.

"While the scheduled release cycle for Adobe updates is a big improvement in helping enterprise security teams effectively manage resources, today's security bulletins are still missing information," Storms said in a statement. "Security managers need Adobe to step up and provide mitigation steps and more detail on both the bugs and the patches."

Apple rounded out the patch parade with an update, released on Monday, that fixed more than 50 flaws in its latest browser, Safari 4.

Browsers fail password-management security tests

Have you ever wondered whether the web browser you're using is secured? Let's put them to the test.

5 popular web browsers were put to the test:

• Google's Chrome
• Apple's Safari
• Microsoft's Internet Explorer 7.0
• Mozilla Firefox
• Opera
  

Google's Chrome browser and Apple's Safari have received poor marks in a new set of tests evaluating the security of password-management features in five popular Web browsers.

Read on the report for more details and the astonishing results.