History repeated itself, once again, on the first day of pwn2own, an annual hacking competition where hackers try to break through the defense of modern browsers and operating systems. Safari and Internet Explorer were once again successfully exploited by hackers, while Chrome remained unchallenged and undefeated.
Safari, which was the first browser to be challenged, fell within five seconds. The French security firm VUPEN managed to both execute arbitrary code (launch the Calculator), and bypass sandbox protection (write file on the hard disk). The technique used by VUPEN required development of tools from the scratch and took about three weeks to put together. VUPEN’s success is notable because shortly before the contest began, Apple patched as many as 62 vulnerabilities in a massive security update.
Next up was Internet Explorer, which met a similar fate at the hands of Stephen Fewer. Fewer exploited three separate vulnerabilities to execute Calculator and write a file to the disk. Unlike Apple, Microsoft hadn’t even bothered to issue any security updates last week.
The final browser that was supposed to be tested today was Chrome. However, the single contestant who had signed up to take a crack at Chrome didn’t turn up. So Chrome finished the day unchallenged and undefeated. Like Apple, Google had also released a major security update to Chrome in which at least 24 vulnerabilities were patched. It’s likely that the contestant dropped out because the zero-day vulnerability he planned on using was fixed by Google.
Firefox is slated to be challenged tomorrow. Should it fall, Google Chrome will be the last browser standing for the third consecutive year. Opera is not included in the competition as the organisers are of the opinion that its current user base of 53 million is not large enough.