The security myth exposed (again): Major browsers and iPhone fall at Pwn2Own 2010
By Paul Ridden
April 1, 2010
The results are in. Only one major browser remained standing at the end of the Pwn2Own 2010 contest at this year's CanSecWest security conference in Vancouver, the rest fell with relative ease. On the operating table were the latest versions of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari - but which one lived to tell the tale?
For the fourth time, the Zero Day Initiative sent out invites to security specialists around the globe to head to Vancouver towards the end of March and go head to head with the market-leading web browsers that dare to call themselves secure. The object of the contest is simple enough, exploit security holes and break in. The winners walk away with the hardware on which the exploit was successful, hence the competition title, and a share of US$100,000 prize money. For the losers, the walk of shame.
A MacBook Pro and US$10,000 went to Charlie Miller of Independent Security Evaluators for successfully delivering a full command shell payload to Safari without even having physical access to the machine. Taking home a HP Envy Beats and a further US$10,000 was independent security researcher Peter Vreugdenhil for making short work of the security features of Internet Explorer 8 on Windows 7 64-bit edition. A Sony Vaio and yet another US$10,000 went to a researcher from MWR InfoSecurity for launching a calc.exe payload by exploiting Firefox on Windows 7.
So what happened on day two? Yes indeed, all of those successes were enjoyed on day one of the three day contest. No doubt you'll have noticed one browser missing from the roll of (dis)honor, Google's Chrome. For the second year running, Chrome walked away unscathed, although this is not necessarily due to the browser being unhackable but just that, according to ZDI, "no one decided to take it down", adding that "there are many researchers sitting on Chrome vulnerabilities".
Google's Android mobile operating system on HTC's Nexus One also escaped unharmed in the mobile phone part of the competition. Apple's iPhone fell in just 20 seconds though with Vincenzo Iozzo and Ralf Philipp Weinmann breaking in and reading text messages stored on the device. Nokia's Symbian platform also fell to an anonymous contestant.
All vulnerabilities discovered in the contest have been reported to the various vendors to give them the chance to patch things up.