IE 10 Running on Surface Hacked in 10 Minutes -- Redmondmag.com

IE 10 Running on Surface Hacked in 10 Minutes

The Pwn2Own contest has already taken down Microsoft's latest Internet browser.

By Chris Paoli
03/13/2013

Pwn2Own 2013, the event where security pros get paid for breaking software, was held last week during the annual CanSecWest security contest, and the major browser players all took their punishment.

The highlight was the newcomer's fall, Internet Explorer 10, which was defeated at the hands of VUPEN Security on day one of competition

What made the feat impressive was it was done on a Surface Pro tablet running Windows 8 -- another newcomer to this year's event. The French firm was able to recreate the exploit in both the Desktop and the Windows App Store (Metro) versions of the browser within the first 10 minutes of the competition's start.

"The exploit fully bypassed all Windows 8 security protections and exploit mitigation technologies including HiASLR, DEP, AntiROP and Protected Mode sandbox," wrote VUPEN.

For that quick bit of hacking, the firm was awarded $100,000 from HP's Tipping Point, the security and risk management branch of the hardware manufacturer.

But that wasn't it for VUPEN. Later in the date it successfully exploited a hole in the latest version of Firefox running on Windows 7 and found a new hole in Java (which doesn't seem too difficult to do). For those additional hacks, the company was awarded an additional $60,000.

Another notable (and profitable) hack came the next day when a two-man team pulled off a full sandbox bypass against Google Chrome on Windows 7. Here's how the team from MWR Labs did it: "By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process," wrote MWR Labs in a blog post. "We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges."

For that bit of cyber wizardry, the team was awarded $100,000.

For all successful exploits, whether prize winners or not, HP said it bought them all and over half a million bucks was awarded over the three-day hacking competition.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.