Both Peter Vreugdenhil of the Netherlands and a German researcher who only would give his first name of Nils, managed to find ways to disable DEP (data execution prevention) and ASLR (address space layout randomization) in Windows 7. Two features that have been well publicized in Windows 7’s anti-exploit features. Each of the took down the fully patched 64-bit version of Windows 7 and managed to by pass it’s defences.
Peter Vreugdenhil was first up to the table and used a double exploit combination to first bypass the ASLR feature and then disable DEP, then 2 minutes later he was successfully hacked Internet Explorer 8. Half an hour later, Nils gave it a go using Mozilla Firefox 3.6 and managed to bypass the same defensive mechanisms only minutes later.
For their efforts, they were both awarded with $10,000 each and the notebook they both exploited. What’s more they also receive a paid trip to the DefCon hackers conference in Las Vegas this July.
Aaron Portnoy,who is the team leader for security research with 3Com TippingPoint, as well as being the contest sponsor, and the organizer of Pwn2Own was very impressed, he said in an interview at the end of the day on Wednesday.
Both hackers managed to use Microsoft’s own code against them to bypass the security features and Vreugdenhil has published in detail how he managed to do this in a PDF which you can download here“Every exploit today has been top-notch,” “The one on IE8 was particularly impressive.”
As I said earlier, the two features the managed to bypass were;
ASLR (Address space layout randomization) - What this does is it randomly shuffles the positions of key memory areas. As a result this makes it much more difficult for hackers to predict where their attacking code will actually run.
The second feature DEP ( Data Execution Prevention ) was introduced by Microsoft back in 2004 with Windows XP SP 2 and it was intended to prevents malicious code from executing in sections of memory not intended for code execution and is a defense against, among other things, buffer-overflow attacks.
Both Microsoft and Mozilla had representatives at the event to watch as their software was exploited by the hundreds of hackers and researchers at the event.
Jerry Bryant, a senior manager with the Microsoft Security Research Center acknowledged the vulnerabilities exploited by Vreugdenhil, but that was about it
He said that
“Microsoft is aware of a new vulnerability in Internet Explorer introduced at CanSecWest in the Pwn2own contest.”We are investigating the issue and we will take appropriate steps to protect customers when the investigation is complete.”
However he never said when or if Microsoft would be releasing a patch for it. The company’s next scheduled Patch Tuesday is April 13, but Microsoft typically takes much longer to produce fixes, as testing time alone can often run between 30 and 60 days.
So I think we can all learn a valuable lesson from the Pwn2Own hacking contest. When there is a prize and money involved, it seems everyone’s software can be hacked into. This contest was established to discover flaws and vulnerabilities in software and so far it seems to be doing a very good job.
As Charlie Miller, another of Wednesday’s winners said;
What you can see at Pwn2Own is that bugs are still in software, and exploit mitigations like DEP and ASLR don’t work. Even as [defensive measures] improve, researchers still end up winning.”
