Security Researchers Prove IE8 Still Vulnerable

by John Lister on 20100326 @ 10:29PM EST | google it | send to friends
Filed under Security | (related terms: security, contest, pc, machine, hackers)

Two hackers took just two minutes to break into a PC running Windows 7 64-bit with Internet Explorer 8 at a security conference earlier this week.

The ethical hacking took place at the CanSecWest security event in Vancouver, which hosts an annual contest named "Pwn2Own." The name is taken from an online corruption of "own" in two senses: whomever is first to take control of a system wins the relevant hardware, plus between $5,000 and $10,000 in cash. (Source: darkreading.com)

Windows 7 DEP and ASLR Hacked, Disabled

In the contest, the hackers were not able to physically access the machine. Instead, the usual approach is to ask a judge to point the computer towards a malicious website, in the same way as if a unsuspecting user had clicked on a dubious link. In most cases, the contestant will have developed a strategy and created the bogus website before the event, meaning their contest entry takes effect almost immediately.

The winning tactics involved disabling two key security measures in the system. Data Execution Prevention (DEP) aims to prevent rogue software accessing parts of the PC's memory via a buffer overflow, in which the commands sent through the PC literally spill over into parts of the memory.

Address Space Layout Randomization (ASLR) involves key areas of data on the machine being arranged in a random order, making it much harder for rogue software to know exactly where to target. (Source: computerworld.com)

Mozilla's Firefox, MacBook Fall Prey

The hackers, who used programming code to fool the machine into bypassing the security measures, also targeted Firefox later in the day. However, Microsoft wasn't the quickest victim: three-time Pwn2Own winner Charlie Miller carried out the first successful attack of the day, taking down an Apple MacBook running the Safari web browser.

The contest also had a mobile device category for the first time, with an iPhone being hacked in a staggering 20 seconds, the exploit gaining complete access to the database of text messages on the handset,

The organizers of the contest share details of the winning entries with the relevant companies. That hasn't stopped some criticism that the competition prizes encourage some entrants to "save up" details of potential security flaws to win the cash, rather than notify the manufacturers as soon as they are discovered.

Stay Informed: Subscribe Free to Infopackets, Today! Get your daily fix of Microsoft Windows news, reviews, tech tips, plus free software (freeware) goodies daily -- all absolutely free -- delivered straight to your email inbox! Bonus: join our website today and you'll also receive our highly coveted Top 10 Tech Reports, including: Top 10 PC Security Essentials, Windows Optimization Secrets, Top Freeware Antivirus, MS Office alternatives and more. Don't delay: subscribe today! Click here for more info.

Infopackets Game of the Week

Secrets of the Dark: Eclipse Mountain Collector's Edition

Click here to read more.

Most Clicked Stories
(In the Past 15 Days)

Freebies

Subscription Center

Recommended Sites

DownloadMix.com: More Freeware + Shareware

About

Established in 2001 and read by over 250,000 users world-wide, infopackets features the latest in headline news based on MS Windows, Internet, and technology trends. Subscription to our website is free! Join our discussion list, today!