updated 3/9/2012 11:24:36 AM ET 2012-03-09T16:24:36

Internet Explorer 9 was hacked during day two of the annual Pwn2Own hacking contest held at the CanSecWest security conference in Vancouver.

On March 8, researchers from the French security firm Vupen exploited two bugs, an unpatched heap overflow flaw and a memory-corruption vulnerability, to crack Microsoft's IE9 Web browser and run code outside the sandbox, the security feature in place to contain bugs and prevent malicious code from executing on the user's system.

On Wednesday, Vupen kicked off the Pwn2Own festivities by hacking the Google Chrome browser. It was the first time a research team has hacked Chrome during the annual contest.

"It was difficult because the heap overflow vulnerabilities are not very common," Vupen's CEO and chairman, Chaouki Bekrar, told SecurityNewsDaily of the IE 9 hack. "They [the flaws] are rare but they are useful, because you can use the same vulnerability to achieve memory leak and thus bypass ASLR."

(Address Space Layout Randomization , or ASLR, is a security protocol for randomly arranging data areas in a process' address space.)

Bekrar added, "Usually we need three vulnerabilities, one for DEP [Data Execution Prevention], one for ASLR, and one for the sandbox. Here we had one that allowed us to do DEP and ASLR, which is nice."

The attack required the researchers to navigate to a rigged website, where they demonstrated their exploit by making a calculator app show up on the target system.

"We used only a specially crafted Web page," Bekrar said. "There was no user interaction, no downloading, no pop-ups, no message box to accept. It was a 'visit and get pwned' exploit."

Bekrar said the code execution attack also works on old versions like IE6 and the new Internet Explorer version 10, which is only available for consumer preview.

Vupen researchers performed their proof-of-concept hack on a fully-patched Windows 7 Service Pack 1 machine. It took the team seven weeks to craft the IE 9 exploit.

© 2012 SecurityNewsDaily. All rights reserved


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments