Yesterday saw the first day of the annual Pwn2Own hacking contest held at CanSecWest in Vancouver, Canada, where a number of hacking teams tested the mettle of the most popular web browsers available.
According to eWeek
, Apple's Safari browser on Mac OS X and Microsoft's Internet Explorer 8 for Windows 7, fell to hackers on the very first day of the competition.
The contest saw security researchers taking turns at trying to infiltrate the latest versions of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and Apple's Safari web browsers.
Despite a last minute update from Apple, Safari was still the first browser to be cracked when a French penetration test company, VUPEN, exploited a zero-day flaw in the browser to win the challenge. Attendees posted messages on Twitter saying VUPEN cracked Safari in "five seconds". The team walked away with a $15 000 prize and a new MacBook Air.
Chaouki Bekrar, co-founder of VUPEN, used a website that compromised a 64-bit version of a fully patched Mac OS X running on a MacBook. As Bekrar told Ryan Naraine from ZDNet
, VUPEN's three-man team spent about two weeks finding the vulnerability in WebKit, the open-source browser rendering engine Safari is based on.
The team had to launch the calculator application and write a file to the hard drive to prove they had gained full user access on the hijacked machine, all thanks to a browser vulnerability.
Apple wasn't alone in its embarrassment though, as Microsoft's Internet Explorer was also cracked, with the prize going to Irish security researcher, Stephen Fewer. He hacked into a machine running a 64-bit version of Windows 7 by exploiting similar exploits in Internet Explorer 8. Fewer apparently exploited two zero-day bugs and then a third vulnerability that allowed him to get out of IE's Protected Mode and into the innards of the operating system.
Google's Chrome was left high and dry however, as the two analysts who had signed up to hack the browser had either not shown up or decided to focus on RIM's BlackBerry smartphone. Mozilla's Firefox is scheduled to undergo an exploit test later today.
The mobile platform portion of the contest is also scheduled to take place today, with teams attempting to hack Apple's iOS, Google's Android, Microsoft's Windows Phone 7 and RIM's BlackBerry OS. A $15 000 award will be given to the first successful hack of each smartphone OS.
So while it seems Microsoft and Apple are out of the browser race, it will be interesting to see how they fare in the smartphone portion, arguably a more important market for Apple.