Vupen, a security research firm based in France, cracked both Firefox and Internet Explorer. It roughly explained the attack in a tweet (warning: there’s a lot of security vocabulary coming), “We’ve pwned Firefox using a use-after-free and a brand new technique to bypass ASLR/DEP on Win7 without the need of any ROP.”
The technique involves recalling memory that the browser had previously “freed,” (user-after-free), after which they were able to mess with the technology that protects a computer system from letting bad code execute.
In Internet Explorer’s case, Vupen says it found two separate “zero-days,” or previously unknown holes in a system, and used them to get inside a Microsoft Surface Pro tablet. From there, the company was able grab hold of the Windows 8.
The company explained, again, in a tweet, “We’ve pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass.”
Lastly, U.K.-based security firm MWR Labs cracked Chrome and also gained full control of the operating system, this time Windows 7. It also “demonstrated a full sandbox bypass exploit.” The company explained in a blog post that it found a zero-day in Chrome “running on a modern Windows-based laptop.” It was able to exploit the vulnerability by performing a very similar attack to what took down Facebook, Microsoft, and a number of other well-known companies: it had the laptop visit a malicious website. From there the website probed Chrome and was able to get control of the area of the browser that executes code “in the context of the sandboxed renderer process,” or the protective area that allows code to run, but restrict it from using any other part of the system but the CPU and memory.
The sandbox cannot, however, protect against any attacks against the kernel, or the root of the operating system, it exists in and that’s exactly what MWR took advantage of. It found a vulnerability in the kernel, exploited it, and gained full access to the Windows 7 system.
All of these browsers had been previously patched in preparation for the competition, showing just how much can be missed and how valuable these types of bug-finding events are. MWR won $100,000 as a result. Of course, both MWR and Vupen properly disclosed all the documentation of its findings to the appropriate browser security teams.
Copyright 2013, VentureBeat