Making sport of browser security, hackers topple IE, Safari

Once again


Contestants in a high-stakes hacking contest had no trouble toppling the Apple Safari and Microsoft Internet Explorer browsers, proving for a fifth year in a row that no software or application is safe from people with the expertise and motivation to exploit them.

The attacks came on Day One of the Pwn2Own contest, which pays more than $15,000 apiece for exploits that successfully give the attacker full remote access of the targeted machine. Wednesday's event saw hackers take complete control of a fully patched Sony Vaio and MacBook Air by compromising IE and Safari respectively. Google's Chrome browser was also up for grabs, but no one stepped forward to try hacking it.

“Every browser, every operating system, has its own vulnerabilities,” said Chaouki Bekrar, CEO of Vupen Security and the contestant who successfully hacked Safari. “This is what we wanted to demonstrate – that we can create a very reliable exploit for Apple Mac OS and Safari without even crashing the browser.”

Contest rules forbid him from disclosing most technical details behind the vulnerability, but he was permitted to say that it involved what's known as a use-after-free flaw in the Apple browser. He said the exploit used a technique known as return-oriented programming to bypass a security protection known as data execution prevention that is built into many Apple programs.

The hardest part of the exercise was writing fuzzing, debugging, and memory dumping software for Macs.

“On windows, you have everything available on the internet,” he said. “You can download everything you want. In (OS X) there is not even shell code available on the internet.”

After building the tools from scratch, it took him about two weeks to find the bug and set out to exploit it. The result was an attack that reliably commandeers a Mac when Safari visits a website that hosts the malicious code.

“Just after visiting the webpage with the affected version of Safari, we can, for example, launch the calculator or open a shell or do anything else we want,” he said a minute or two after demonstrating the exploit at the contest, which was attended by members of Apple's security team. “We have the same privileges as the user who visited the webpage.”

He said users would have no way of knowing their machines have been compromised. There is no prompt asking for a password. The only way to thwart the attack is to run Safari from an account that has been configured to have limited privileges.

Under competition rules, contestants drew a lottery to determine who was the first to attempt hacking a particular browser. Once a browser was compromised, it was eliminated from the running. Both IE and Safari were hacked on the first try.

“I have an exploit all ready to go, and now it's just sitting in my bag,” said Charlie Miller, a three-time Pwn2Own winner, shortly after Bekrar took this year's prize. “You'd think Apple would be concerned about it.”

Miller said he's had the working attack for more than nine months now. Even after Apple patched a whopping 62 Safari security bugs just hours before the contest started, Miller's exploit still worked, he said.

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021