About | Buy | News | Products | Rants | Search | Security
Home » News

The Vancouver Massacre

All platforms went down.

Get It

Try It

VANCOUVER (Rixstep) — CanSecWest opened, the hackers came, the platforms got clobbered.

Windows 7 got hacked with IE8, the iPhone was gutted, and Charlie Miller crushed a MacBook for the third year in a row.

And still the fun has only begun.


Dutch hacker Peter Vreugdenhil hacked Windows 7 with IE8 by bypassing the system's ASLR and DEP.

'I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass.'

Vreugdenhil said it took him about two weeks to get around the ASLR and DEP mitigations. He wins $10,000 and a new Windows machine which he'll probably sell on eBay immediately.

Microsoft representatives were on hand to witness the exploit in action but admitted they had a hard time following along.


Apple's (in)famous FreeBSD-based device with everything running as Windows root was the next victim - and it got clobbered without mercy. Hackers from Halvar Flake's Zynamics gutted the device in the time it normally takes to load a web page.

Vincenzo Iozzo and Ralf Philipp Weinmann used an ingenious technology known as return-oriented programming to turn the device's own code on itself.

And this was all done with Apple code signing fully in place on the victim phone.

The key to return-oriented programming is that it doesn't use code injection - it uses code already loaded into the process address space.

'Apple have pretty good countermeasures but they're clearly not enough. The way they implement code signing is too lenient', commented Flake.

TippingPoint themselves describe the attack as 'very impressive'. The exploit was further compounded by the fact that the compromised application was running as root. (All applications run as root on the iPhone - code signing, a bit of ASLR and DEP: that's all Apple give their iPhone users for protection.)


Charlie Miller took home a MacBook (and a cash prize) for the third year in a row - this despite Apple scrambling at the last minute to patch over one dozen known security holes in their Safari web browser.

A conference organiser was asked to surf to a prepared web page and got to watch as Miller took control of the Apple machine.

Miller also plans to present 20 (twenty) new zero day exploits against Apple's Mac OS X operating system during the CanSecWest conference.

Almost all of the security engineering effort on the iPhone seems to have been spent protecting the revenue model rather than the user.
 - Independent Security Evaluators

See Also
Zero Day: Hacker exploits IE8 on Windows 7 to win Pwn2Own
Pwn2Own 2010: iPhone hacked, SMS database hijacked
Zynamics: Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN
Zynamics: PWN2OWN Press Release
Tipping Point: Pwn2Own 2010
Pwn2Own MacBook attack: Charlie Miller hacks Safari again
Wikipedia: Return to Libc
Stanford: On the Effectiveness of Address Space Randomisation
Wikipedia: Return-Oriented Programming
UCSD: Return-Oriented Programming: Exploits Without Code Injection
Google: Android Security Spec
Independent Security Evaluators: Exploiting Android
Independent Security Evaluators: Exploiting the iPhone

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.