IE8 and Safari Fall on First Day of Pwn2own

By | March 11, 2011


Red Font Pwn

Pwn2Own, the yearly hacking contest held as part of the CanSecWest security conference, saw the successful hijacking of fully patched versions of Safari and Internet Explorer 8 this year. Ars Technica described Pwn2Own as the following:

If a researcher can pwn the browser—that is, make it run arbitrary code—then they get to own the hardware the browser runs on. This year, not only did they have to run arbitrary code, they also had to escape any sandboxes—restricted environments with reduced access to data and the operating system—that are imposed.

Safari, which enjoyed the patching of 60 security holes in the browser the day before the competition, was taken down in five seconds after the browser went on its specially-crafted malicious web page. It took two weeks for a team of three researchers to put together the successful exploit.

Internet Explorer 8 was second to fall and in a similar style to Safari. However, Microsoft chose not to patch the browser a week or even a day before Pwn2Own was to take place. The successful contestant required five to six weeks to assemble the exploit.

Chrome was the third browser to be tested, but the contender who was pitted against Chrome did not show up, leaving the browser unbeaten. A reason for this could be that 24 security flaws were fixed by Google in an update on Wednesday, likely leaving the browser immune to the security flaw the contender was going to use.


About (Author Profile)


Being passionate about software, Armin joined FavBrowser.com in early 2011 and has been actively writing ever since. Having accepted the challenge, he also enjoys watching anime, indulging in good books, staying fit and healthy, and trying new things.

Comments (13)

Trackback URL | Comments RSS Feed

  1. Pothi says:

    That was fun to know how Chrome escaped from the contest on the first day. Look forward to how Firefox and other mobile browsers go up.

  2. Safari was exploited in 5 seconds.

    • Wloopsf says:

      It could be interesting to know how much time it going to take to exploit IE 6 ?
      Imagine if IE 6 lasts longer than Safari.

  3. Opera and Safari are both worthless anyway. You can’t block cookies or ads with them.

  4. Sarjoor says:

    Even though the Safari/WebKit bug was not tried on Chrome (my guess, it would not have escaped Chrome’s sandbox), Chrome already has a new Stable release with the WebKit bug fixed:

    http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates.html

  5. HAHAH says:

    @ Dwight
    You fail horribly there is about 3 different ways to to block Ads on Opera. You can do it via the built in content blocker, via a NoScript Plugin, or a Urlfilter.ini file such as fanboys list. So don’t go spouting stuff that is above your understanding

  6. RamaSubbu_SK says:

    Just came to know that IE9 is not affected by this vulnerable
    http://twitter.com/msftsecresponse/status/45939417998831617

    Seems like microsoft did good job in IE9. Next year we will know the answer better :)

  7. Greg says:

    The real question should be why wasn’t Opera in this test?

    Makes you think is Opera secure? hmmm..