VANCOUVER–On the first day of the Pwn2Own contest here, contestants were able to take down both Safari on Mac OS X and Internet Explorer 8 on Windows 7. None of the researchers decided to try their hand against Google Chrome, however, so that browser was the only one still standing after day one.
The first contestant in the annual hacking contest at CanSecWest here on Wednesday went after Safari on the Mac and was able to exploit an unpatched flaw in the browser and win the MacBook Pro as well as a $15,000 prize. The winner, Chaouki Bekrar of French firm VUPEN, took down the browser within a minute or so using a drive-by download exploit against Safari.
The second entrant was Stephen Fewer, a security consultant at in Cork City, Ireland, who went after IE 8 on Windows 7. Within a couple of minutes, Fewer had defeated the browser, bypassing both DEP and ASLR on the Windows 7 laptop and getting his code to run on the machine. He said afterward that he had chained together three separate bugs in order to defeat the memory protections in IE 8 and get his code to run.
There were two contestants signed up to attempt to exploit Google Chrome yesterday, but the first contestant didn’t show up for the contest and the second, known only as Team Anonymous, told the Pwn2Own organizers that it didn’t have a working exploit ready, so they passed on the chance as well.
On Thursday, researchers will be trying to exploit a series of mobile phones, including the iPhone, Android and BlackBerry. The first contestant to go against the iPhone will be Charlie Miller of Independent Security Evaluators, who has won Pwn2Own each of the last three years by exploiting Safari on the Mac. He didn’t have a chance to try his bug on Safari this year because Bekrar drew the first chance and was successful.
However, Miller has an iPhone exploit ready that he thinks will be successful on Thursday.