By the final day of Pwn2Own, a three-day hacking competition held at the annual CanSecWest security conference, each of the major desktop web browsers had been exploited. As one of the final demonstrations, French hacking team VUPEN exploited Microsoft's Internet Explorer 9 in a bombastic fashion.
The flaws exposed in Internet Explorer 9 are said to go back through several generations of the web browser. VUPEN also claims that the exploits will work on future generations of the Internet Explorer web browser: This goes all the way back to IE 6, said co-founder of VUPEN, Chaouki Bekrar, in an interview with ZDNet. It will work on IE 6 all the way to IE 10 on Windows 8.
VUPEN exploited two zero-day vulnerabilities in Internet Explorer 9. The team used an unpatched heap-overflow bug to bypass DEP and ASLR and a separate memory corruption flaw to work around the browser's Protected Mode sandbox, according to ZDNet. Protected Mode is a security feature included in the browser that's meant to contain malicious code and prevent it from executing any commands on system.
Bekrar said he and his team spent six weeks working full-time to create the exploits for Internet Explorer 9. During that time, the team was also working on exploits for Google Chrome and Apple's Safari browser, which were also presented at the competition.
VUPEN dominated most of the Pwn2Own contest. As previously reported, VUPEN exploited Google Chrome within five minutes of the competition. Soon after, they had moved onto Apple's Safari browser. By the end of the first day, they had created a large gap between themselves and the rest of the competition.
The French hacking team specifically sought to exploit Google Chrome this year because the browser had been untouched in previous years. In addition to being the only un-exploited browser at the competition for two years, Google disowned Pwn2Own after it was revealed that contestants are allowed to enter Pwn2Own without having to reveal full exploits or even the bugs used.
We wanted to show that Chrome was not unbreakable, Bekrar told ZDNet. Last year we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year.
VUPEN will eventually be compensated for the exploits they revealed at the competition: Once the IP has been entered into the competition the winners are not able to resell the exploits to the vendor because [Zero Day Initiative] will turn the exploit over to the vendor for free, once it has been verified, said a competition spokesperson in an email. Zero Day Initiative gives each exploit a point value.
The Pwn2Own competition challenges hackers to find vulnerabilities in the four major desktop web browsers--Mozilla Firefox, Microsoft Internet Explorer, Apple Safari and Google Chrome--and these vulnerabilities are typically used to make browsers safer. The contest is based on a point system. Zero-day exploits, which are categorized as exploits uknown to others or the software developer, earn team 32 points. In order to win, a team must have demonstrated at least one zero-day exploit.