IE8 and Safari were both hacked on the first day of the Pwn2Own contest but Chrome and Firefox survived.
As reported last month Google had offered an additional $20,000 dollars in addition to the hardware, cash and other prizes on offer in the annual Pwn2Own hacking competition that is part of the CanSecWest security conference.
It also went to great lengths to ensure it couldn't be hacked and paid nine researchers a total of $14,000 for finding vulnerabilities in its Chrome 9.0.597.107 browser. The outside researchers found 15 bugs, and Google identified four more and Google had patched all 19 flaws in time to meet the deadline.
In the event no-one even attempted the challenge as the individual challenger who has registered to hack Chrome was a no-show and the team that did turn up told the organisers they didn't have a Chrome exploit and targeted the BlackBerry instead. Leaving Chrome unexploited for the third year in a row.
Safari 5.3.0 was the first browser to be cracked. A team from French security firm VUPEN won the MacBook Air 13" running Mac OS X Snow Leopard, $15,000 cash and 20,000 ZDI points. VUPEN co-founder Chaouki Bekrar said a team of three researchers took two weeks to assemble the successful exploit which made the browser visit a malicious page they crafted which allowed them to exploit a vulnerability in the browser, bypass OS protections like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), launch the calculator app in order to prove they could execute arbitrary code on the system and write a file on the hard disk demonstrating that the sandbox had been exited - the two conditions needed to be filled in order to consider the attack successful.
While the techniques used to bypass operating system protections like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are well-known, the specific use and adaptation of these techniques on 64-bit Safari is unusual and required developing tools and attack code from scratch.
Apple released Safari 5.0.4, which patched some 60 security holes in the version that VUPEN exploited, the day before the competition took place. This wasn't in time for the contest since the rules now stipulate that the configuration to be attacked has to be frozen a week in advance However the successful exploit would have worked even if the attack target had been the newer Safari 5.0.4. Apple has now issued a patch to protect against it.
Internet Explorer 8 was also successfully exploited by Irish Metasploit developer Stephen Fewer who connected three different security holes to get around the browser's protected mode and other security mechanisms. Microsoft has also already fixed the vulnerability in IE8 and has stated that it didn't exisit in IE9 that is due to launch on March 14.
Per the rules of the competition, full details of the pwn2own attacks, including the bypass techniques, won't be published until vendors have issued patches.
Google offers $20,000 for a Chrome hack