Security Researchers Prove IE8 Still Vulnerable

Dennis Faas's picture

Two hackers took just two minutes to break into a PC running Windows 7 64-bit with Internet Explorer 8 at a security conference earlier this week.

The ethical hacking took place at the CanSecWest security event in Vancouver, which hosts an annual contest named "Pwn2Own." The name is taken from an online corruption of "own" in two senses: whomever is first to take control of a system wins the relevant hardware, plus between $5,000 and $10,000 in cash. (Source: darkreading.com)

Windows 7 DEP and ASLR Hacked, Disabled

In the contest, the hackers were not able to physically access the machine. Instead, the usual approach is to ask a judge to point the computer towards a malicious website, in the same way as if a unsuspecting user had clicked on a dubious link. In most cases, the contestant will have developed a strategy and created the bogus website before the event, meaning their contest entry takes effect almost immediately.

The winning tactics involved disabling two key security measures in the system. Data Execution Prevention (DEP) aims to prevent rogue software accessing parts of the PC's memory via a buffer overflow, in which the commands sent through the PC literally spill over into parts of the memory.

Address Space Layout Randomization (ASLR) involves key areas of data on the machine being arranged in a random order, making it much harder for rogue software to know exactly where to target. (Source: computerworld.com)

Mozilla's Firefox, MacBook Fall Prey

The hackers, who used programming code to fool the machine into bypassing the security measures, also targeted Firefox later in the day. However, Microsoft wasn't the quickest victim: three-time Pwn2Own winner Charlie Miller carried out the first successful attack of the day, taking down an Apple MacBook running the Safari web browser.

The contest also had a mobile device category for the first time, with an iPhone being hacked in a staggering 20 seconds, the exploit gaining complete access to the database of text messages on the handset,

The organizers of the contest share details of the winning entries with the relevant companies. That hasn't stopped some criticism that the competition prizes encourage some entrants to "save up" details of potential security flaws to win the cash, rather than notify the manufacturers as soon as they are discovered.

| Tags:
Rate this article: 
No votes yet