A team of French researchers exploited two different IE zero-day flaws to break into a fully patched Windows 7 SP1 machine and take an almost unassailable lead in this year’s CanSecWest Pwn2Own competition. The hacking team, from French security research outfit VUPEN, used an unpatched heap overflow bug to bypass DEP and ASLR and a separate memory corruption flaw to break out of the browser’s Protected Mode sandbox. The code execution attack, which required no user action beyond browsing to a rigged web site, also works on Internet Explorer v10 (consumer preview) running on Windows 8.Déjà vu.
But the real story is that Chrome also got pwned too. The leader of the successful team said:
“We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year,” he said.It looks like Firefox will fall too.
During the hack, Bekrar created a web page booby-trapped with his exploit. Once the target machine visited the page, the exploit ran and opened the Calculator (calc.exe) app outside of the sandbox.”
Bekrar’s team came equipped for zero-day flaws for all four major browsers — Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox — but he said the decision to go after Chrome first was a deliberate tactic.