Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


IE Falls In Pwn2Own

Vupen Security said it will publicly detail only one of two bugs involved. Meanwhile, Google has already patched the Chrome bug exploited in the Pwnium contest.

Securing The Super Bowls Of Sports
Securing The Super Bowls Of Sports
(click image for larger view and for slideshow)

Internet Explorer Thursday became the latest Web browser to be exploited at the Pwn2Own contest, a fixture at the annual CanSecWest security conference in Vancouver.

French vulnerability research firm Vupen Security exploited IE using two vulnerabilities. According to a post to Vupen's Twitter feed, "IE9 on Windows 7 SP1 x64 is the second browser to fall at#pwn2own. Our exploit included two 0 days to fully bypass ASLR/DEP + Protected Mode."

One of the bugs exploited by Vupen involved a heap overflow that exists in all versions of IE, from version 6 on up to version 10, which is currently being previewed. "It was difficult because the heap overflow vulnerabilities are not very common," Vupen CEO Chaouki Bekrar, told SecurityNewsDaily. "They [the flaws] are rare, but they are useful because you can use the same vulnerability to achieve memory leak and thus bypass ASLR." ASLR refers to address space layout randomization, which is intended to make it difficult for attackers to locate code they need to carry out exploits.

The other flaw exploited by Vupen was a bug in IE's protected mode--akin to the sandbox in Google Chrome--which its team needed to defeat so that it could then make use of the heap overflow vulnerability.

[ Today's changing IT environment makes security more challenging than ever. Here's what you should keep in mind when it comes to bolstering the security of your data. 10 Lessons From RSA Security Conference. ]

Vupen, which sells vulnerability information, said it will share the heap overflow bug information with Pwn2Own contest sponsor HP TippingPoint's Zero Day Initiative (ZDI), who sponsored this year's Pwn2Own contest. But Vupen said that for now, it will detail the IE protected mode flaw only to its own customers.

Bekrar said two of his employees had spent six weeks preparing zero-day exploits to use at the contest, and it shows: The French security researchers were also responsible for taking down the first browser in the contest: Google Chrome browser. That exploit was notable because Chrome hadn't been "owned" at either of the last past two years' Pwn2Pwn contests, due--security experts have said--to the strength of Chrome's sandbox.

This year's Pwn2Own contest runs from Wednesday through Friday. The contest targets four browsers--Chrome, IE, Apple Safari, and Mozilla Firefox, running on Windows 7 or Mac OS X Lion--and awards points based on the exploits used, with a working zero-day exploit earning 32 points.

According to the rules, "The first contestant (or team) who is able to write an exploit for the announced vulnerabilities will be awarded 10, 9, or 8 points, depending on the day the exploit is demonstrated." The public vulnerabilities to be exploited, however, were announced only when the contest began, meaning that participants must write exploits on the fly.

By the end of Thursday, Vupen was in the lead, with 124 points. There was only one other challenger, the team of "Willem & Vincenzo"--Willem Pinckaers of Matasano Security and independent researcher Vincenzo Lozzo--which had earned just 10 points for exploiting a public vulnerability. But according to the contest rules, "no team or individual can win without having demonstrated at least one zero-day vulnerability." This means that so far, only Vupen is set to finish.

Google, a past sponsor of Pwn2Own, pulled out after rule changes exempted winners from having to disclose the vulnerabilities they'd used to "own" browsers. Instead, Google launched its own Pwnium contest, offering up to $1 million in prize money, including $60,000 for each successful attack that could use only Chrome bugs to execute arbitrary code. But Pwnium has several other stipulations, such as requiring that any attack used to exploit a vulnerability must have never been demonstrated before. Also, winners must disclose every vulnerability they've exploited in full to Google.

Veteran Chrome bug finder Sergey Glazunov scored an early win on Wednesday, the first day of Pwnium, earning $60,000 for successfully exploiting a Chrome bug to escape the sandbox and exploit arbitrary code. But by Thursday morning, Google announced that it had patched the related code errors, which it said had involved a universal cross-site scripting and "bad history navigation" bug.

The right forensic tools in the right hands are just a start. The new Digital Detectives issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...