Hackers Pwn Safari, Internet Explorer At Security Conference

Hackers have shown that even the newest versions of browsers can be quickly compromised. Especially when there are prizes to be had.

Safari and Internet Explorer 8 have both been hacked as part of the pwn2own contest at the CanSecWest security conference in Vancouver.

The contest rules are that a hacker must get the target computer to run an arbitrary piece of software - allowing the machine to be pwned. (The term comes from an old typo for owned.) The prize is the machine itself, in this case an Apple MacBook Air and an Alienware M11x. The browsers challenged are Safari version 5.0.3, Internet Explorer 8, Mozilla Firefox, and Chrome. In addition there is a cash prize of $15,000 for defeating Safari and IE 8, and $20,000 for Chrome.

Safari was eventually beaten by a team from VUPEN, a French security company. Security researcher Stephen Fewer of harmony Security took home the prize.

The vulnerability in Safari was attacked by having the user visit a specific web page. VUPEN's chief executive officer and head of research Chaouki Bekrar said in an email that is a common way for malware authors to infect computers. The browser downloads the hacker's code to the computer while it is parsing the Javascript and HTML code. Once the VUPEN software was on the computer, it was able to execute a file when a user ran the calculator program.

For IE 8, Fewer attacked three separate security holes in the software. One reason is that IE 8 has a protected mode that is designed to prevent such attacks.

Both contestants required a few weeks to put the hacks together, according to Ars Technica. The full details won't be released until both Apple and Microsoft issue fixes. Ordinary anti-virus software wouldn't protect against these attacks, Bekrar said, because they haven't been released before. VUPEN provided the details of the security hole to Apple.

Google's Chrome was the only desktop browser that went unchallenged; evidently the contestant who registered for the contest never submitted his attack. Sam Thomas, who was to write the attack for Firefox, withdrew.

To contact the reporter responsible for this story call (646) 461 6917 or email j.emspak@ibtimes.com.