Mac pwned in pwn2own ... again.

[w1z4rd]

Security researchers at the CanSecWest conference have kicked off the annual Pwn2Own security event.

The 2010 edition of the contest challenged convention attendees to produce working exploits on several PC-based browsers and mobile handsets. In the first day of competition, three of the four targeted systems had been exploited.

Researcher Charlie Miller was able to claim a prize for the third year in a row by quickly compromising a MacBook Pro running Safari. Miller has delivered similar exploits for Apple notebooks in each of the previous two Pwn2Own events as well.

Miller presented his exploit after fellow researchers Vincenzo Iosso and Ralf Phillip Weinmann were able to score the first successful exploit of the day by compromising Safari on the iPhone through the use of a specially-crafted text message.

Apple was hardly alone in the hacking spotlight, however. MWR InfoSecurity researcher Nils was able to exploit the Mozilla Firefox browser on Windows 7 through a previously-unknown vulnerability.

Microsoft saw its latest browser laid to waste as well when researcher Peter Vreugdenhil compromised a fully-patched version of Internet Explorer 8 running on a Windows 7 notebook.

The only browser to survive the first day was Google's Chrome. None of the day one contestants attempted to run an exploit on the browser.

Further exploits could be revealed in the next two days as the contest is expanded to browsers running on the Windows Vista and XP platforms.

http://www.v3.co.uk/v3/news/2260272/researchers-hack-away-pwn2own

Macs Safari went down quickly, followed soon after by Win7 running the terrible IE8.

Seems Chrome survived the ordeal. I wonder how the next two days are ganna play out.

 

[Hectic]

Has anyone actually try to to hack Chrome? Every time I read one of these reports it says that nobody tried to exploit Chrome. A year or 2 ago I could understand this as Chrome was new and had no real market share, but that has changed?

Or do they know something and don't want to try it?

 

[PeterCH]

No details given - may as well not post anything.

http://it.slashdot.org/comments.pl?sid=1595842&cid=31618956

The exploits were of course not found in the 5, 10 or 15 minutes advertised. They were all worked on for weeks, and even months, and were well-tested and prepared before being executed at the contest like a rehearsed stage play. Also worth to note is that the reason behind "Chrome only browser that withstood security breach" was that NO ONE TESTED CHROME AT ALL. I give this particular "Pwn2Own" show no credibility what so ever because of these details.

 

[DJNgoma]

Google pays people to find exploits in Chrome... So nobody willing to try is understand to a certain point I guess.

 

[dequadin]

There's actually a very good technical reason why Chrome survived the first day of pwn2own again (it did this last year as well): Sandboxing

It should go down on day two when they normally allow exploits via plug-in(s), and (as we all know) Flash is usually the culprit...

 

[I am Penguin]

http://www.v3.co.uk/v3/news/2260272/researchers-hack-away-pwn2own

Macs Safari went down quickly, followed soon after by Win7 running the terrible IE8.

Seems Chrome survived the ordeal. I wonder how the next two days are ganna play out.

Yep ,me too wonder how/why?

The only browser to survive the first day was Google's Chrome. None of the day one contestants attempted to run an exploit on the browser (Chrome?)

 

[dequadin]

Yep ,me too wonder how/why?

Sandboxing

Does not one listen to anything I say?