Skip to main content
  1. Home
  2. Mobile

Pwn2Own: Safari, iPhone, IE, and Firefox All Fall

By
Image used with permission by copyright holder

The Pwn2Own contest at the annual CanSecWest conference in Vancouver, British Columbia has become something of a media event for security researchers, a chance for them to step out from behind glowing LCDs and demonstrate that some of the security threats they’ve hinted could impact everyday computer users are real—and pick up some cash money for their efforts. And this year, they did not disappoint: at the Pwn2Own contest, Apple’s iPhone and Safari fell first to security experts, followed in short order by Internet Explorer 8 and Firefox on Windows 7.

On the Macintosh, the star of Pwn2Own this year was again Charlie Miller of Independent Security Evaluators, who picked up the $10,000 top prize by demonstrating a takeover attack on Safari an Apple MacBook Pro that granted complete access to the machine without requiring any physical access—all the Safari user had to do was visit a Web site with malicious code. Miller won $10,000 n 2008 for breaking into a MacBook Air, and $5,000 last year by exploiting another security loophole in Apple’s Safari browser.

Recommended Videos

Dutch security researcher Peter Vreugdenhil also won $10,000 for a security exploit that bypassed security features in Microsoft’s Internet Explorer 8. A researcher from the UK’s MWR InfoSecurity named Nils—no last names, please—picked up another $10,000 for an exploit targeting Firefox on the the 64-bit version of Windows 7. Last year, Nils picked up $15,000 for a collection of exploits that targeted Firefox, Safari, and Internet Explorer 8.

Perhaops the star of the show, however, was Apple’s iPhone, which fell victim to Ralf Philipp Weinmann and Vincenzo Iozzo, of the University of Luxembourg and the German company Zynamics (respectively), who will share a $15,000 prize.

Researchers aren’t sharing the specifics of their attacks with the general public, in order to give browser and operating system developers a change to patch the loopholes. However, Miller’s attack on Safari is being described as so reliable that, in information security terms, it’s “weaponized.” Vreugdenhil’s attack on IE8 was a four-part process that exploited two separate vulnerabilities; as with Miller’s Safari attack, it launched from a user connecting to a Web site containing malicious code. Nils’ attack on Firefox exploited a memory corruption bug.

Weinmann and Iozzo’s attack on the iPhone also involved visiting a site bearing malicious code; the technique bypassed the iPhone’s code-signing requirement and could be used to access an iPhone’s SMS database, contacts, photos, or other data.

The Pwn2Own contest is sponsored by TippingPoint’s Zero Day Initiative.

As of the start of the second day of the Pwn2Own contest, Google’s Chrome 4 remains the only browser left standing…but that’s probably because it wasn’t tested at all on the first day.

Editors' Recommendations

Topics
Geoff Duncan
Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Apple might be making a plus-sized version of the entry-level iPhone SE 2
apple iphone 8 plus review

Apple may be making a larger version of the iPhone SE 2/iPhone 9, according to code found in iOS 14 by 9to5Mac.

This is the first indication we've had that Apple is open to the idea of expanding the rumored iPhone SE 2 range, and snippets from the code are hinting at an iPhone with a 5.5-inch display. Past rumors have focused on a model with a 4.7-inch LCD display and upgraded internals, based fairly closely on the design of the iPhone 8. With that in mind, a 5.5-inch display makes it clear we're looking at a design based on the iPhone 8 Plus, with upgraded hardware to match its smaller sibling.

Read more
Apple iPhone SE 2 enters final verification stage, paving way for launch
Apple iPhone 8 keyboard best iphone 8 screen protectors

Apple's rumored next iPhone, the budget-priced Apple iPhone SE 2, has entered its final production verification stage, according to a report from the Taiwanese website Digitimes.

The long-awaited phone, which is presumed to be the successor to the beloved iPhone SE, is expected to follow in its predecessor's footprints by offering Apple's top specs in a cut-price package. While not confirmed, the iPhone SE 2 (or iPhone 9 -- rumors are unclear on the actual name) is likely to use the iPhone 8's design, but with updated specs. Rather than the iPhone 8's A11 Bionic processor, the iPhone SE 2 is rumored to use the updated and much faster A13 Bionic -- the same processor as the iPhone 11 Pro Max, and 3GB of RAM.

Read more
iPhone SE 2 (or iPhone 9?): This could be our first look
iPhone SE 2 renders

Apple is expected to unveil a successor to the beloved iPhone SE sometime in the next couple of months. But you won’t have to wait until the launch for a preview as, courtesy of prolific leaker OnLeaks and iGeeksBlog, we may have today our first look at the iPhone SE 2 (or iPhone 9).

OnLeaks has shared a series of renders that pretty much suggest the iPhone SE 2 will be an iPhone 8 with 2020 specs. That, unfortunately, means the iPhone SE 2 will have a dated design featuring thick bezels on the front -- a far cry from the edge-to-edge screens we’re so used to today.

Read more