Slideshow

The iPhone sandbox has always been held up as a major roadblock to thwart hackers from doing damage on the device.  But, as European researchers Vincenzo Iozzo and Ralf Philipp Weinmann proved, a hacker can hijack a lot of sensitive data without ever leaving the iPhone sandbox.

Despite the survival of Google Chrome and the fall of Internet Explorer 8 (running on Windows 7), all the browser hackers at the contest maintained that Microsoft’s browser is by far the most difficult to exploit.  For starters, IE 8 is the only browser to fully — and properly — implement ASLR (see explanation from Nils).

When Microsoft shipped Windows Vista,  the addition of security technologies like ASLR (Address Space Layout Randomization) alongside DEP (Data Execution Prevention) and SafeSEH were held up as major roadblocks to hacker attacks.   With every new service pack of OS upgrade, these mitigations got stronger and stronger but, at Pwn2Own, attackers found ways to bypass and defeat these mechanisms.   In typical cat-and-mouse fashion, this shows that the skilled, dedicated hackers with the right motivation will always find ways to stay ahead of the security technologies.

The only browser that survived Pwn2Own this year was Google Chrome.  This led to numerous news reports like this one suggesting that Google’s browser was somehow more secure than the others.  This is far from the truth.  In fact, the vulnerability that caused the iPhone’s downfall was in the WebKit engine and also affected the Google Chrome browser.

Despite the multitude of anti-exploit mitigations built into modern operating systems (ASLR, DEP, Sandboxing), hackers were able to compromise every major target this year.  This is confirmation that dedicated attackers with the right (financial) motivation, will almost always find a way to break into computer systems.  It also highlights the difficulties businesses face when trying to thwart targeted attacks that combine zero-day vulnerabilities/exploits with clever social engineering lures.   The dedicated targeted attacker will, in almost every case, win.

The recent CanSecWest Pwn2Own contest saw successful hacking attacks against Microsoft Internet Explorer 8, Mozilla Firefox and Apple’s Safari and iPhone products.  Now that the dust has settled and the vendors are starting to patch the vulnerabilities, Threatpost editor Ryan Naraine takes a look at the real-world implications of the contest and the lessons learned.