IE Falls In Pwn2Own

Vupen Security said it will publicly detail only one of two bugs involved. Meanwhile, Google has already patched the Chrome bug exploited in the Pwnium contest.
Securing The Super Bowls Of Sports
Securing The Super Bowls Of Sports
(click image for larger view and for slideshow)

Internet Explorer Thursday became the latest Web browser to be exploited at the Pwn2Own contest, a fixture at the annual CanSecWest security conference in Vancouver.

French vulnerability research firm Vupen Security exploited IE using two vulnerabilities. According to a post to Vupen's Twitter feed, "IE9 on Windows 7 SP1 x64 is the second browser to fall at#pwn2own. Our exploit included two 0 days to fully bypass ASLR/DEP + Protected Mode."

One of the bugs exploited by Vupen involved a heap overflow that exists in all versions of IE, from version 6 on up to version 10, which is currently being previewed. "It was difficult because the heap overflow vulnerabilities are not very common," Vupen CEO Chaouki Bekrar, told SecurityNewsDaily. "They [the flaws] are rare, but they are useful because you can use the same vulnerability to achieve memory leak and thus bypass ASLR." ASLR refers to address space layout randomization, which is intended to make it difficult for attackers to locate code they need to carry out exploits.

The other flaw exploited by Vupen was a bug in IE's protected mode--akin to the sandbox in Google Chrome--which its team needed to defeat so that it could then make use of the heap overflow vulnerability.

[ Today's changing IT environment makes security more challenging than ever. Here's what you should keep in mind when it comes to bolstering the security of your data. 10 Lessons From RSA Security Conference. ]

Vupen, which sells vulnerability information, said it will share the heap overflow bug information with Pwn2Own contest sponsor HP TippingPoint's Zero Day Initiative (ZDI), who sponsored this year's Pwn2Own contest. But Vupen said that for now, it will detail the IE protected mode flaw only to its own customers.

Bekrar said two of his employees had spent six weeks preparing zero-day exploits to use at the contest, and it shows: The French security researchers were also responsible for taking down the first browser in the contest: Google Chrome browser. That exploit was notable because Chrome hadn't been "owned" at either of the last past two years' Pwn2Pwn contests, due--security experts have said--to the strength of Chrome's sandbox.

This year's Pwn2Own contest runs from Wednesday through Friday. The contest targets four browsers--Chrome, IE, Apple Safari, and Mozilla Firefox, running on Windows 7 or Mac OS X Lion--and awards points based on the exploits used, with a working zero-day exploit earning 32 points.

According to the rules, "The first contestant (or team) who is able to write an exploit for the announced vulnerabilities will be awarded 10, 9, or 8 points, depending on the day the exploit is demonstrated." The public vulnerabilities to be exploited, however, were announced only when the contest began, meaning that participants must write exploits on the fly.

By the end of Thursday, Vupen was in the lead, with 124 points. There was only one other challenger, the team of "Willem & Vincenzo"--Willem Pinckaers of Matasano Security and independent researcher Vincenzo Lozzo--which had earned just 10 points for exploiting a public vulnerability. But according to the contest rules, "no team or individual can win without having demonstrated at least one zero-day vulnerability." This means that so far, only Vupen is set to finish.

Google, a past sponsor of Pwn2Own, pulled out after rule changes exempted winners from having to disclose the vulnerabilities they'd used to "own" browsers. Instead, Google launched its own Pwnium contest, offering up to $1 million in prize money, including $60,000 for each successful attack that could use only Chrome bugs to execute arbitrary code. But Pwnium has several other stipulations, such as requiring that any attack used to exploit a vulnerability must have never been demonstrated before. Also, winners must disclose every vulnerability they've exploited in full to Google.

Veteran Chrome bug finder Sergey Glazunov scored an early win on Wednesday, the first day of Pwnium, earning $60,000 for successfully exploiting a Chrome bug to escape the sandbox and exploit arbitrary code. But by Thursday morning, Google announced that it had patched the related code errors, which it said had involved a universal cross-site scripting and "bad history navigation" bug.

The right forensic tools in the right hands are just a start. The new Digital Detectives issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)