Pwn2Own is a computer hacking contest held annually at the annual CanSecWest security conference, during which security experts and hackers attempt to hack into devices.
Ahead of this year's contest both Apple and Google released last minute updates on their web browsers. Despite the update, Safari was the first to falter, followed closely by Microsoft's Internet Explorer, which did not see any update prior to the competition.
Reports suggest that VUPEN was the first to take a shot at Apple's browser. The French security company had gained control of the fully-patched Mac OS X 10.6.6 MacBook just five seconds after the browser visited its specially-crafted web page, reported Ars Technica. The exploit worked on Safari version 5.0.4.
Internet Explorer fell to Stephen Fewer of Harmony Security. The 32-bit version of Internet Explorer 8 running on 64-bit Windows 7 Service Pack 1 was exploited through three separate vulnerabilities, which included two to achieve successful code execution within the browser and one to escape the Protected Mode sandbox.
The attempt to exploit Google's Chrome on a Cr-48 Chrome OS notebook failed.
The contest's sponsor, TippingPoint, which provides a report to the applicable vendor, detailing the vulnerability and its exploitation, revealed that in the smartphone category Apple's iPhone 4 and RIM's BlackBerry Torch 9800 both succumbed to hackers while Android and Windows Phone 7 stood the test.
Charlie Miller, who is better known as Mr. Four-peat at the contest, took down iPhone with his colleague from Baltimore-based consulting firm Independent Security Evaluators (ISE), Dion Blazakis. Miller, who credited his team mate for the success, is a four-time champion (2008 through 2011).
RIM's Blackberry fell to a multi-national team. Vincenzo Iozzo, an engineer at Zynamics GmbH, Ralf-Philipp Weinmann, a post-doctoral researcher at the Laboratory of Algorithms, Cryptology and Security at the University of Luxembourg, and a third researcher from the Netherlands hacked the Torch.
TippingPoint does not release the details of the vulnerabilities to public until the vendor has corrected the vulnerability. Pwn2Own winners are also forbidden from discussing the vulnerabilities. The contest also forbids them from releasing their attack code.