Feeds

Making sport of browser security, hackers topple IE, Safari

Once again

Beginner's guide to SSL certificates

Microsoft not left out of the carnage

Not to be left out, IE was equally devastated. Steven Fewer, an independent security researcher and principle of security consultancy Harmony Security, said he also exploited a use-after-free bug in the browser. Microsoft has fortified IE with a security sandbox that isolates it from more sensitive parts of the operating system, so Fewer had to exploit a design flaw in to break out.

“The (sandbox) escape I found was pretty easy, to be honest,” he said. “Surprisingly so.”

In all, he said it took him about six weeks of full-time research to find the bugs and write working exploits for them.

As the contest commenced, there were four contestants signed up to attack Safari, three to attack IE and just one to attack Chrome, which in addition to the $15,000 prize awarded by Pwn2Own sponsor Tipping Point, also fetched $20,000 from Google. The contestant never showed.

Day Two of the contest will turn its attention to smartphone security, with $15,000 prizes to the first person who successfully commandeers a Dell Venue Pro running Windows 7 Mobile, an iPhone 4, a BlackBerry Torch 9800, and a Nexus S running Google's Android. All four platforms have multiple contestants signed up to attack them, although Android hacker Jon Oberheide recently dropped out after killing his own Android vulnerability.

George Hotz, the prolific hacker and jailbreaker who goes by the moniker GeoHot, has also dropped out, evidently because Sony, which is waging a no-hold-barred legal fight against him for unlocking the PlayStation 3 game console, has given him much more pressing things to attend to.

The contest runs through Friday at the CanSecWest security conference in Vancouver. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI
A stranger turns up YOUR heat with default password 1234
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.