IE, Firefox, Safari & iPhone taken down at Pwn2Own

At the CanSecWest security conference held earlier this year, IE, Firefox, Safari & iPhone were taken down within minutes. The fully patched systems went down to remote exploits which only goes to show how insecure internet facing systems are.

 


The security implementations of the various systems developed over a period of years proved futile against the hackers. These include data execution prevention (DEP), address space layout randomization (ASLR) and Apple’s famed code signing that prevents unauthorized applications from running on the device.

 

The iPhone’s code signing mechanism was broken using a technique called return oriented programming. DEP and ASLR fell to an information disclosure exploit that allowed him to identify the memory location of a core module that was loaded by the Microsoft browser. Firefox running Windows 7 was also taken down.

 

Contests of this type go on to prove how insecure our internet facing software are. Financial rewards induce many a hacker to exploit similar vulnerabilities sometimes without users even being aware of it until it is a bit too late.

 

According to PCWorld, ‘There are two lessons for businesses to learn about security here, right off the bat. First, using Apple hardware and software is not an adequate defense, in and of itself. Despite the common perception that the Mac OS X operating system is just inherently more secure than Windows, the reality is that the primary reason Macs aren’t attacked and compromised more often is that the platform with 92 percent market share promises malware developers a significantly higher return on investment than the platform with 5 percent market share.

 

Ironically, while there are admittedly no real malware threats circulating in the wild for the Mac OS X platform, the perception of inherent security makes Mac users more vulnerable in other ways. Many Mac users are so sure that the platform is impervious that they are oblivious to security concerns at all. Unfortunately for them, phishing attacks and identity theft are a function of social engineering more than security technology, and the lack of awareness makes Mac users more gullible.

 

The second lesson from Pwn2Own is that the browser is the new Achilles heel of security regardless of the hardware or software platform. The iPhone hack leveraged an unknown vulnerability in the Safari mobile Web browser. The Macbook attack by Charlie Miller also went through the Safari Web browser to get to the operating system. And, the 64-bit Windows 7 compromise relied on an exploit of Internet Explorer 8.

 

Contrary to the mantra to abandon Internet Explorer for “more secure” Web browsers, though, a recent study actually showed Internet Explorer 8 to perform significantly better than other browsers in defending against socially-engineered attacks. The operating system platform the browser is running on also has a significant impact on the security of the browser.

 

The number one lesson to take away from the Pwn2Own contest, though, isn’t about which platform is more secure, or which browser was hacked the fastest. The important lesson to learn is that all platforms and browsers are vulnerable to an attacker with sufficient dedication and resources.’

Comments are closed.