2011 Hacking Contest Browser Results
Wednesday, March 16, 2011
Pwn2Own, now in its fifth year, is a hacking competition divided into two areas: web browsers and mobile phones.
This year’s Pwn2Own contest has come and gone with February, leaving in its wake 3 exposed browsers. Vupen (a French security firm) hacked the Apple Saffari browser version 5.0.4 earning $15,000 from TippingPoint. The Google Chrome browser was not attacked directly in the contest, meaning no one took home the grand-prize of $20,000, although a vulnerability was discovered in Chrome, by an independent team of Vincenzo Iozzo, Ralf Philipp Weinmann and Willem Pinckaers, who collectively received $1,337 from the Google’s Bug Bounty Program. Most major systems that support Chrome have already patched the hole, with the exception of Apple’s iPhone 3G, and iPod Touch. The Internet Explorer 8 browser was hacked by Harmony Security founder Steven Fewer, winning him $15,000 and a new laptop. Microsoft reports the bug is already patched in their new Internet Explorer 9. Mozilla’s FireFox browser [and Chrome] was the only one to survive the test of weekend, proving Mozilla’s Bug Bounty program really pays off. All in all, 3 major browsers were found with vulnerabilities, showing that currently ‘Mozilla FireFox’ is the best browser option out there. I really like this overall review, as it slaps fanboys with its honest criticism, and humbles us all with future projections of security and web browsers.
http://lockboxx.blogspot.com/2011/03/pwn2own-2011-hacking-contest-browser.html
IE was equally devastated.
Steven Fewer, an independent security researcher and principle of security consultancy Harmony Security, said he also exploited a use-after-free bug in the browser. Microsoft has fortified IE with a security sandbox that isolates it from more sensitive parts of the operating system, so Steve had to exploit a design flaw to break out.
“The (sandbox) escape I found was pretty easy, to be honest,” he said. “Surprisingly so.”
Firefox and Chrome web browsers were undefeated
Phone Hacking Competition: Android, and Windows Phone 7, Undefeated
March 16, 2011
From the results of the Pwn2Own hacking competition, it looks like Android and Windows Phone 7 are tough nuts to crack.
It took only two days for hackers to crack into the Apple and Blackberry operating systems during the three-day Pwn2Own tournament last week, while Android and Windows Phone 7 models were abandoned and left unhacked by the end of the contest.
Is this because their operating systems are more secure? Yes and no.
“The survival of a target at Pwn2Own does not automatically declare it safer than a target that went down,” last year’s Internet Explorer Pwn2Own winner Peter Vreugdenhil cautions. The contestants who were lined up to beat the Android and WP7 devices in the competition withdrew for a variety of reasons.
Pwn2Own, now in its fifth year, is a hacking competition divided into two areas: web browsers and mobile phones.
This year, Microsoft Internet Explorer 8, Apple Safari 5.0.3, Mozilla Firefox, and Google Chrome were the web-browser targets. In the mobile phone category, the Dell Venue Pro (Windows Phone 7), Apple iPhone 4 (iOS), BlackBerry Torch 9800 (Blackberry 6) and Nexus S (Android) were targeted. The OS and browser versions were frozen last week (so for example, Apple’s Safari 5.0.4 update was not used), ensuring that all contestants are working on the same version of each OS.
Pwning and owning occurs if the hacker defeats the frozen version. If the exploit they used still exists in the current firmware, they are also eligible to receive a monetary prize. The 2011 Pwn2Own competition ran March 9 to 11.
Vreugdenhil says many different factors determine how hard a target is to hack. There’s the safety of the software itself, the exploit mitigations that are already in place for that software, and then the amount of research that has already been conducted (which can speed up the process of writing an actual exploit).
Firefox and Chrome web browsers were also left undefeated because contestants withdrew from Pwn2Own.
“Chrome has the advantages of having multiple exploit-mitigation techniques that certainly make it more difficult to hack. As for Android, we see no particular reason why Android would be harder to hack than one of the other targets.”
Safari, Chrome, iPhone, Android and Blackberry all use WebKit in their browsers, which means that they are all susceptible to exploitation through the browser – and that’s exactly how the iPhone and Blackberry were attacked.
Charlie Miller, a Pwn2Own veteran, worked with Dion Blazakis to hack the iPhone 4 in this year’s competition using a flaw in its Mobile Safari Web browser and a “specially-crafted webpage.” A team of 3 (Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmenn) defeated the BlackBerry Torch using a similar technique.
So what did the contest’s organizers think of the outcome of 2011’s Pwn2Own?
Vreugdenhil and other organizers were not surprised that the iPhone went down quickly. It has been a major target and a lot of research has already been done on that platform.
Android’s survival was a bit of a surprise, since it is also a big target and had four contestants lined up.
… some factors contribute to a safer product. For those that are out to find the safest phone on the market, Vreugdenhil says you’ll want to compare features such as DEP (Data Execution Prevention), ASLR (address space layout randomization), Sandboxing, code signing and the ease with which software can be updated on the device.
http://www.wired.com/gadgetlab/2011/03/hacking-android-windows-phone/
Safari was the first browser to falter, followed by Microsoft’s Internet Explorer. Strangely Microsoft didn’t offer any last minute security updates. It took only 5 seconds to take control of Safari after french group VUPEN pointed the browser to its specially designed web page.
“Oh yes I remember this contest. Last year they used flash to hack a entire computer under 2 mins. Looks like that isn’t even needed now.”
http://www.the-magicbox.com/forums/showthread.php?p=553589
Chrome last year was the most secure and could not be uprooted.
The DoJ and the FBI take down a botnet
By Peter Bright, April, 2011
while efforts such as Microsoft’s disruption of the Waledac and Rustock botnets were successful, they were far from perfect. These efforts left the malicious software running on the infected PCs they just removed the command and control servers, the centralized machines that tell the botnet what to do. Should the bot herders regain control of the domain names or IP addresses used by the command-and-control servers, the infected machines will be able to successfully connect to them, and the networks will once again spring into life.
A new Justice Department attack will go some way towards solving that problem, at least for the botnet known as “Coreflood.” A federal judge has authorized the non-profit Internet Systems Consortium, working in conjunction with the FBI , to go beyond taking down the command-and-control servers: the ISC has installed its own command-and-control servers. The command the servers are sending? Kill the botnet malware. The servers were swapped out on Tuesday evening, and the kill command was duly sent.
The kill command still stops short of removing the malware altogether each time an infected PC is rebooted it will try to restart the botnet software. But every time, the new command and control servers will tell the software to shut down, preventing it from causing any more harm.
In tandem with this effort, Microsoft has updated its Malicious Software Removal Tool to enable it to remove the Coreflood malware itself. Some users will likely receive this tool through Windows Update, but to ensure greater reach, the new command and control servers will record every IP address that tries to reach the command and control servers. This IP address information will be used to inform ISPs that machines are infected. In turn, the ISPs will inform their end users, and provide information on where to get the MSRT.
Coreflood
Coreflood was a particularly nasty botnet. Rather than merely sending spam, it stole banking and other financial information from infected pc’s. This harvested information was then sent to the command-and-control servers, and according to court filings, allowed criminals to steal hundreds of thousands of dollars from victims. The Coreflood software has been around since 2003, receiving regular updates in an effort to keep one step ahead of anti-malware software. It started out as a regular trojan a program that masquerades as something useful but which actually does something harmful before gaining botnet capabilities in 2009. Over the course of its life, more than two million machines were infected.
Though this aggressive move is likely to be effective in combatting the botnet, not everyone is convinced that it’s an appropriate path to go down. Speaking to Wired, Electronic Frontier Foundation technology director Chris Palmer described it as an “extremely sketchy action to take,” warning that “you don’t know what’s going to happen for sure. You might blow up some important machine.”
Aggressive as it was, other nations have gone further to fight the botnet menace. Last year, Dutch and Armenian law enforcement made a joint effort to kill off the Bredolab botnet. In this case, the Dutch authorities installed their own command-and-control servers, using them to distribute a program to infected computers that would redirect users to a website giving specific information on how to disinfect their computers. This seemed to work well, with authorities reporting more than 100,000 visits to the site.
There’s no word yet on how effective the Justice Department’s plan has been. If manual outreach proves effective then there may be no need to go one step further as the Dutch did. But if persistent infections continue to be an issue – as they are with Rustock and Waledac – then American law enforcement may well be tempted to take more proactive measures against the botnets, in spite of the concerns this raises.
http://arstechnica.com/security/news/2011/04/doj-fbi-set-up-command-and-control-servers-take-down-botnet.ars
Chrome to guard against malicious downloads
By Peter Bright, April, 2011
Google already warns users of its search engine if the page they’re about to click on is likely to be malware. The company also has an API, the Safe Browsing API, to allow Web browsers to check if a URL is bad or not. This API is already used by Chrome, Firefox, and Safari.
Google has just announced that it’s going to take this protection even further in its Chrome browser and apply it to executable downloads. Click a link that downloads a program Google’s Safe Browsing API regards as hostile and you’ll see a warning, along with an option to cancel the download.
Initially, malicious Windows programs will be the target. Such programs are unfortunately commonplace and generally depend on social engineering tricks-rather than outright security flaws-to lure users into installing them, with fake video codecs and bogus anti-virus software both being popular approaches.
A similar security system, designed for a similar purpose, was included in Internet Explorer 9. In that system, each download has a reputation attached to it, which is determined by the number of other people downloading a particular file. Try to download a file with a bad reputation and the browser will warn you that there’s a chance it’s malicious. This builds on top of the SmartScreen URL verification found in Internet Explorer 8 that offers equivalent functionality to the Safe Browsing API (though Microsoft claims that SmartScreen is far more effective).
The new Chrome feature will initially be available in the development version of the browser, and the company hopes to have it ready in time for the next stable release.
http://arstechnica.com/security/news/2011/04/chrome-to-guard-against-malicious-downloads.ars