iPhone, IE, Firefox, Safari get stomped at hacker contest
Ashes, ashes all fall down
CanSecWest It was another grim day for internet security at the annual Pwn2Own hacker contest Wednesday, with Microsoft's Internet Explorer, Mozilla's Firefox and Apple's Safari and iPhone succumbing to exploits that allowed them to be remotely commandeered.
Like dominoes falling in rapid succession, the platforms were felled in the fourth year of the contest, which has come to underscore the alarming insecurity of most internet-facing software. To qualify for the big-money prizes, the exploits had to attack previously undocumented vulnerabilities to expose sensitive system data or allow the remote execution of malicious code.
The exploits were all the more impressive because they bypassed state-of-the-art security mitigations the software makers have spent years implementing in an attempt to harden their wares. That included DEP, or data execution prevention, and ASLR, or address space layout randomization and in the case of the iPhone, code signing to prevent unauthorized applications from running on the device.
"Code signing by Apple is tough, though I'm not sure if they do it for security or just to lock people into their platform," said Halvar Flake, a security researcher for Germany-based Zynamics. He compromised the iPhone using an exploit written by his colleague Vincenzo Iozzo. University of Luxemburg student Ralf-Philipp Weinmann was also instrumental in developing the attack.
The iPhone's code signing mechanism requires code loaded into memory to carry a valid digital signature before it can be executed. To get around it, the researchers used a technique known as return-oriented programming, which takes pieces of valid code and rearranges them to form the malicious payload.
As a result, the hackers were able to create a website that when visited by the Apple smartphone forced it to spill a copy of its SMS database. The file includes a list of contacts as well as complete copies of messages that have been sent and received. The database also contains deleted messages unless a user has gone through the trouble of manually erasing them.
The hacks came on day one of the contest, which offers a total of $100,000 in prizes and coincides with the CanSecWest conference in Vancouver. It comes three months after criminal hackers pierced the defenses of Google, Adobe and about 33 other large companies using similar vulnerabilities in an older version of IE. The relative ease contestants had in exploiting other platforms suggested that they are susceptible to the same types of attacks when there is the financial incentive to develop them.
DEP and ASLR, which Microsoft began implementing with the release of Service Pack 3 for Windows XP, didn't fare much better. Peter Vreugdenhil, a researcher with Netherlands-based Vreugdenhil Research, was able to hijack a laptop running IE 8 running on Windows 7, a combination widely considered by white hat hackers as among the hardest to compromise.
Unlike previous DEP- and ASLR-busting techniques, Vreugdenhil's exploit didn't use Adobe Flash, or any other third-party software to accomplish the feat. Rather, it relied on an information-disclosure exploit that allowed him to identify the memory location of a core module that was loaded by the Microsoft browser.
"I used that knowledge to create a DEP bypass by reusing code in that module to change the protection," he said a few minutes after causing Windows 7 to spontaneously open a calculator program. "The vulnerability that I found allowed me to lay out the heap exactly as I wanted to, which is not always possible."
A pdf with additional details of the IE 8 exploit is here.
Firefox running on Windows 7 was also smitten. The author of that exploit was Nils, the same hacker who successfully compromised machines running IE, Firefox and Safari at last year's Pwn2Own contest. As was the case then, he asked that his last name not be printed, but this time the 26-year-old said he is the head of research at MWR InfoSecurity, a security consultancy in Basingstoke, UK.
Microsoft researchers, who were present en masse at the contest, are investigating the report and will issue a patch if their findings warrant it, said Pete LePage, a senior product manager for IE. He said Microsoft isn't aware of attacks in the wild that target the vulnerability.
Safari was also part of the spoils, making this the third consecutive year contestant Charlie Miller has compromised the Apple browser. Miller, 36, who is principal security analyst at Independent Security Evaluators, said he came to this year's contest armed with close to 20 working attacks that in virtually every case allow him to seize control of the Mac running the program.
He said he found all of them using the same rudimentary, five-line script written in Python, raising the very legitimate question: If he can find them, why haven't people working on Apple's security team found them, too?
"Tomorrow, I'm going to describe exactly how I found them, so hopefully that means Apple will replicate what I did and they'll find my 20 [bugs] and probably a lot more," Miller said. "Hopefully, they'll keep doing that and improve their mechanisms of finding bugs as opposed to just slapping band-aids every time I send them email about what bug I have."
The iPhone hack fetched $15,000 and the browser exploits were awarded $10,000 each.
The genius of a contest like Pwn2Own is that it exposes the insecurity of software that rarely gets exploited by criminals. Plenty of Linux and Mac fans cite the absence of real-world exploits on those platforms as proof positive that they are inherently safer than the prevailing Microsoft operating system. It's an argument that carried little weight in Vancouver.
"The problem Microsoft has is they have a big market share," said Vreugdenhil, the hacker who attacked IE. "I use Opera, but that's basically because it has a tiny market share and as far as I know, nobody is really interested in creating a drive-by download for Opera. The web at the moment is pretty scary, actually." ®
The article does refer to Apple applying band-aids every time he emails them, so to me that sounds like he does inform them.
What's wrong with earning some cash from this? The man has to eat, and I'm damn sure Apple don't say "Thank you very much" and hand him a cheque every time he emails them an exploit. Which is a pity as I'm sure browser security would improve no end if the browser authors actually compensated security researchers for their hard work.
Stop scaring people
(most) of these hacks are useless. You'd make most people think we could steal their bank accounts simply buy identifying the IP address of their device... Other than for Windows, no, none of these "Owns" actually provided that.
Take the iPhone: Only if directed to a specific website can it be compromised, and even then it simply dumps the SMS history file. No contact database, no account settings, no passwords, can't install a bot, can't take over the device; just a simple trick to get it to release a file which can surely be easily patched.
Safari? Great, lots of hacks. Did any of them result in permission escalation that would allow the installation of a dangerous application (keylogger, bot, something that can corrupt data, etc, steal the keychain file?) No. It simply provided the person on the other end the ability to access files that Safari otherwise could, and only manually not with some automated code. Even half of that only works if no AV software or white list app was in use.
Windows is a gaping hole, yes we all know. Get in through any browser and permission escalation almost isn't even necessary, but even so it's still easily accomplished. However, as dangerous as the browser itself might be, did anyone even point out that the single most dangerous thing is DOWNLOADING?
1) never click a link unless that link is on a known trusted site and the hyper link matches the link text. When in doubt, type the base site URL in and browse to the link manually.
2) Run both AV and AS software (even on macs). Use a blacklist (if not a white list), to avoid going to potentially dangerous or known hacked sites.
3) never run as root, when possible, disable default admin accounts completely.
4) never store passwords, SSNs, or any other important information in unencrypted systems.
5) use IE only when it's required explicitly by the site (and question why that is if it is). Use Opera or Chrome
6) download only when necessary, and only from trusted sources, and scan all files before they're opened. If you really must use torrents, do that in a VM or alternate machine that is clean of any sensitive information.
7) Only use online banking if it supports dual factor authentication. Pay online using a real credit card, a debit card if you don't have one, and never use your checking account number online if it can be avoided.
8) If your bank doesn't provide fraud protection on your debit card, change banks. Check to see if they offer it on checking as well.
9) use very strong passwords, and never use the same password on more than one site. spend $10 on a good password manager application, and change all your site passwords regularly.
10) be VERY careful about social networks. Never add someone as a friend just because they asked, you should actually KNOW them. Don't post anything online ever that you would not otherwise want to make public to the entire world, even in private parts of your site.
11) set your default browser to one you DON'T use, that has no plug-ins installed, and is set to the tightest possible security settings. If a link opens in your default browser, and its safe, copy the link into the browser of your choice.
12) never forget, no company will EVER e-mail you to go to their site about a security or account change issue.
13) unsubscribe from everything, get off all mailing lists, and tell your friends and family to take you off theirs as well. use an alternate e-mail account when sites make you provide one, and keep your private e-mail, business e-mail, and "other" email completely separate.
14) USE A HARDWARE FIREWALL, and keep the software firewall in your OS on, don't run services you don't have to, and keep sharing on your notebook turned off outside your home.
Limiting your surface area is a much more effective prevention from hackers than is actually securing the system. If they can't see your IP, external penetration attacks are useless. If you don't do stupid things, and follow their links, or download infected apps, you have essentially taken away every vector they have into your machine. Almost every single hack used in this contest required the user to do something (most commonly go to a web site). YOU are the security hole...
A simple (and very pertinent) question and he gets multiple downvotes, really? So I guess some commentards have a knee-jerk reaction and just automatically downvote anything that happens to mention Linux, regardless of the context.
& to ZedroS: as Chemist said, without a separate privilege escalation the attacker would presumably be confined just to the rights of the user whose Firefox session got pwned.