The results of the first day of the Pwn2Own contest held each year at the CanSecWest conference are the following: Safari and IE8 went down, Chrome is still unscathed due to a no-show from the registered contestant that was supposed to attack it.
Researchers from French security firm VUPEN were the ones who managed to compromise a Safari browser (v5.0.3) on fully-patched Mac OS X (v10.6.6).
According to ars technica, the researchers made the browser visit a malicious page they crafted which allowed them to exploit a vulnerability in the browser, bypass OS protections like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), launch the calculator app in order to prove they could execute arbitrary code on the system and write a file on the hard disk demonstrating that the sandbox had been exited – two conditions needed to be filled in order to consider the attack successful.
For their efforts, they received a $15,000 cash prize, an Apple MacBook Air 13″ running Mac OS X Snow Leopard and 20,000 ZDI reward points which have their own monetary value.
As stipulated by the rule of the contest, the full details of all the attacks will be published only after the vendors have patched the holes, but VUPEN co-founder Chaouki Bekrar shared the information that it took three researchers two whole weeks to piece together the exploit used in the attack.
Irish security researcher Stephen Fewer of Harmony Security is the man behind the compromise of the 32-bit Internet Explorer 8 on 64-bit Windows 7 Service Pack 1.
He proved the breach in the exactly same way: running the platform calculator application and writing a file on the hard disk. He revealed that three security vulnerabilities were exploited during the attack and that it took him five to six weeks to find the vulnerabilities and to write the exploit.
The prize he collected was $15,000 in cash, the laptop on which the launched the attack and 20,000 ZDI reward points.
This year, Google offered $20,000 and the CR-48 [Chrome Notebook] to anyone who manages to pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. The first part of the contest, which was to be held the first day, was a let-down since the contestant didn’t show up – possibly because Google patched a vulnerability that the attacker was planning to exploit with the latest Chrome update that was released on Tuesday.
The contest is to go on for two more days and Chrome attackers may have their chance yet as ZDI offers $10,000 for a sandbox escape in non-Google code and Google still offers $10,000 for a Chrome bug. Also waiting to prove their mettle are Mozilla’s Firefox and the four smartphones: Dell Venue Pro running Windows 7, iPhone 4 running iOS, Blackberry Torch 9800 running Blackberry 6 OS and Nexus S running Android.