iPhone 4 and Blackberry fall at Day Two of Pwn2Own

The annual Pwn2Own contest is going on at the CanSecWest conference in Vancouver. Pwn2Own is an interesting contest where security experts are unleashed upon the software products that we use everyday. If the products can be hacked, the succesful exploiters win cash, hardware and bragging rights.

Day one was browser attack day and the Safari browser was the first to fall followed by Internet Explorer 8:

The first browser to fall in the three-day hacking contest was Safari, running on 64-bit version of Mac OS X. It was cracked by a team from Vupen Security in five seconds – all the team had to do was point the browser at a site containing their malicious code to take advantage of a vulnerability in WebKit.

That flaw was yesterday fixed by Apple, but the patch came too late to make it into the browser for the contest.

The second browser to fall was IE8 running on a 64-bit version of Windows 7. It was hacked by researcher Stephen Fewer using a trio of vulnerabilities.

Chaouki Bekrar, who successfully hacked Safari on a fully patched MacBook, explains the hack on e-week:

The winning exploit bypassed ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X. The team had to launch the calculator application and write to a file on the computer to prove the exploit had successfully gained full user access on the hijacked machine.

“The victim visits a Web page, he gets owned. No other interaction is needed.”

Internet Explorer 8 was compromised by a combination of 3 attacks, 2 of which were zero-day exploits. Chrome and Firefox were also on the list for day one, but no challengers came forth.
Day two was all about smartphones. The iPhone 4 and RIM’s BlackBerry Torch both fell to the hackers. Windows Phone 7 and Android went unscathed as yet again no challengers showed up to attack them:
The iPhone 4 was taken out by Charlie Miller, setting a record by winning for a fourth year in a row. The flaw he and partner Dion Blazakis used has already been mitigated by Apple’s iOS 4.3 release.

Another team of researchers, Willem Pinckaers and Vincenzo Iozzo, managed to crack a BlackBerry Torch 9800. Each team takes home $15,000 and the handset.

The contest is not all about hacking. The exploits used in the contest are turned over to the sponsor, who in turn releases the information to the manufacturer so security adjustments can be made.

Internet Explorer Running Slow or Crashing

If your Internet Explorer is really acting up on you, and it is not a virus, it could be a bad or corrupted add in.

You can reset Internet Explorer to the factory defaults by going to the “Tools” menu, “Internet Options” menu and then “Advanced”. From here you can click “Reset”.

After doing this, you will get the “Welcome to Internet Explorer” screen and it will ask you to pick some startup options, just like when you first used IE. When this is done, you should be good to go.

* Note: The first time you put in a password for a site, it will ask if you want IE to save it. The best security option is NOT to let IE save your passwords.

View Webpages from the Past: Wayback Machine

When a hacker targets a system, they will usually use a tactic called reconnaissance to gather as much information as possible about the victim. Some hackers will use programs to download your website to search and view it offline. It is amazing how much information can be gleaned from some websites. Documents, contact information, even file structure, and exploitable directories are some targets of interest.

Many companies are more security conscious now and monitor what they put up on their websites. But, what if there was a complete copy of your website available from a year ago, or even 10 years ago? Enter Archive.org’s Wayback machine. Archive.org creates a backup copy of your website and saves it in archive form. Many websites can be viewed from years in the past all the way back to 1996. Want to read CNN or Foxnews news from 2000? You can find it on Archive.org. According to their website:

The Internet Archive is a 501(c)(3) non-profit that was founded to build an Internet library. Its purposes include offering permanent access for researchers, historians, scholars, people with disabilities, and the general public to historical collections that exist in digital format. Founded in 1996 and located in San Francisco, the Archive has been receiving data donations from Alexa Internet and others. In late 1999, the organization started to grow to include more well-rounded collections. Now the Internet Archive includes texts, audio, moving images, and software as well as archived web pages in our collections, and provides specialized services for adaptive reading and information access for the blind and other persons with disabilities.

The Wayback machine is powered by Sun technology, and can serve over 500 inquiries a second. Most people don’t know that their websites are being actively archived. This could be a security risk for you and your company. If you find that your site is in the archive and you want it removed, instructions can be found here.

Microsoft Help and Support Center Vulnerability

Security researcher Tavis Ormandy has discovered a vulnerability in Windows XP and Server 2003. According to an article on The Register, the Microsoft Help & Support Center can be manipulated to allow full remote access to the system if the user is using Media Player 9 and any version of Internet Explorer up to and including IE 8.  

The flaw resides in the Windows Help and Support Center, a feature that provides users with online technical support. Malicious hackers can exploit the weakness of Windows by embedding commands in web addresses that activate the feature’s remote assistance tool, which allows administrators to execute commands over the internet. The exploit works in XP and Server 2003 versions of Windows and possibly others.

According to Ormandy’s whitepaper, several steps are needed to perform the exploit, but it is based on being able to pass commands to the help center. Here is a simple example from the whitepaper:

You can test this with a command like so (assuming a recent IE):

C:\> ver
Microsoft Windows XP [Version 5.1.2600]
C:\> c:\windows\pchealth\helpctr\binaries\helpctr.exe -url “hcp://system/sysinfo/sysinfomain.htm?svr=<script defer>eval(unescape(‘Run%28%22calc.exe%22%29’))</script>”

While this is fun, this isn’t a vulnerability unless an untrusted third party can force you to access it. Testing suggests that by default, accessing an hcp:// URL from within Internet Explorer >= 8, Firefox, Chrome (and presumably other browsers) will result in a prompt. 

To defend against this attack, it is recommended that the remote assistant tool be turned off, but Ormandy also offers other temporary fixes in the whitepaper.