| By Robert Vamosi |
At this year’s Pwn2Own browser-hacking competition, a component of the CanSecWest security conference, clever new exploits took down Internet Explorer 8.
Released just days later, Internet Explorer 9 is immune — and offers additional security enhancements.
Safari and IE 8 the only browsers hacked
If you read only that headline from the Pwn2Own 2011 competition, you’d have a skewed view of browser security — especially if you read a little further on that Safari had been cracked in seconds. In reality, it took top security researchers two weeks to build their Safari exploit. And it took another researcher twice as long to build a successful IE 8 exploit.
It was widely reported that Google went unchallenged in the competition. But in truth, none of the competitors took a shot at either Google or Firefox — not because they are unbreakable but because the prize money was not worth the effort.
Pwn2Own does have a silver lining for all of us: it drives browser vendors to push out fixes for vulnerabilities they were in no great hurry to fix.
To successfully crack IE 8, researcher Stephen Fewer needed a variety of exploits, some within the Windows 7 operating system. As noted in an Ars Technica report on the competition, Fewer chained three separate vulnerabilities, one of which bypassed IE’s Protected Mode sandbox. More worrisome, the exploits also bypassed Windows 7’s Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) — the operating system’s two key security technologies.