Hacker Busts IE8 on Windows 7 in 2 Minutes

From PC World: Two researchers yesterday won $10,000 each at the Pwn2Own hacking contest by bypassing important security measures of Windows 7.

Both Peter Vreugdenhil of the Netherlands and a German researcher who only would give his first name of Nils, found ways to disable DEP (data execution prevention) and ASLR (address space layout randomization), two of Windows 7's most vaunted anti-exploit features. Each faced down the fully-patched 64-bit version of Windows 7 and came out the winner.

Vreugdenhil used a two-exploit combination to circumvent first ASLR, then DEP, to successfully hack IE8. A half hour later, Nils bypassed the same defensive mechanisms to exploit Mozilla's Firefox 3.6. For their efforts, each was awarded the notebook they attacked, $10,000 in cash and a paid trip to the DefCon hackers conference in Las Vegas this July.

"Every exploit today has been top-notch," said Aaron Portnoy, security research team lead with 3Com TippingPoint, the contest sponsor, and the organizer of Pwn2Own, in an interview at the end of the day Wednesday. "The one on IE8 was particularly impressive."

Vreugdenhil, a freelance vulnerability researcher, explained how he bypassed DEP and ASLR. To outwit ASLR -- which randomly shuffles the positions of key memory areas to make it much more difficult for hackers to predict whether their attack code will actually run -- Vreugdenhil used a heap overflow vulnerability that allowed him to obtain the base address of a .dll module IE8 loads into memory. He then used that to run his DEP-skirting exploit.

View: Article @ Source Site