Skip to main content

Mac OS X, Windows fall in Pwn2Own contest

The results are in from the first day of the annual Pwn2Own contest at CanSecWest, with Apple's Safari Browser and Microsoft's Internet Explorer falling at the first hurdle.

The Pwn2Own contest is a regular feature of the CanSecWest security conference, in which security researchers and hackers are invited to attack hardware running the latest versions of popular operating systems. As the name suggests, if the system gets 'pwned,' the researcher gets the keep the hardware - plus some spending money.

The first to fall in Day 1 of Pwn2Own 2011 was a brand new MacBook Air 13-incher running a fully-patched installation of the latest Mac OS X, which is now the property of VUPEN co-founder Chaouki Bekrar. Thanks to a specially formatted web site, Bekrar was able to exploit an as-yet unpatched vulnerability in the Safari browser to execute a custom command - executing Mac OS X's calculator app, rather than anything malicious, as a proof of concept.

According to an interview with ZDNet, Bekrar ranks the exploitation as 'somewhat difficult,' and one affecting the popular open-source WebKit rendering engine rather than an attack exclusive to Safari.

Before Windows fans get too joyous, however, Microsoft's latest didn't fare much better. A 64-bit installation of Windows 7 Service Pack 1 with all the latest patches fell to Stephen Fewer's attack, again via zero-day exploits in the default Internet Explorer 8 web browser with a third vulnerability used to bypass IE's protective sandbox mode.

Both researchers win a brand-new laptop for their troubles, along with $15,000 in prize money. Microsoft, for its part, has yet to address the flaws, but rival Apple has already released a Safari security update which is thought to patch the WebKit hole used by Bekrar in his successful attack.