A researcher has revealed an attack code for a particular Windows vulnerability one day after Microsoft released a patch that apparently fixed the flaw. Microsoft rated this bug as ‘critical’ which is its highest threat rating and its discoverer identified it in a hacking challenge at the Pwn2OOwn contest against Internet Explorer 8 (IE8) and won $10,000. It was discovered 9 months ago. Peter Vreugdenhil identified the vulnerability and used it to tackle ASLR (address space layout randomization) which is Window 7’s most important anti-exploit defense. While he was an independent researcher back then, he has been employed by HP TippingPoint, sponsors of the Pwn2OOwn contest.
Vreugdenhil stated in an interview that he used the vulnerability to get rid of ASLR and to bypass DEP, a second vulnerability was utilized. To make it hard for attackers to execute their malicious codes on Windows, Windows relies strongly on another protection technology called DEP or data execution prevention. Aaron Portnoy, manager of TippingPoint’s security team realized Vreugdenhil’s skill when he hacked IE8 within two minutes at Pwn2Own last year. Portnoy was really impressed as Vreugdenhil worked simultaneously on two vulnerabilities each with its own potential to hack IE8.
Recently, Vreugdenhil posted on his website a version of the code that he had used at the Pwn2Own contest, a day after the patch for the vulnerability was sent via Microsoft Data Access Components (MDAC) by Microsoft. Microsoft identified the flaw in MDAC ActiveX control that facilitates database access within the IE to the user. Vreugdenhil added that the attack code revealed on his site probably won’t work as he used modified versions of the code at the contest. Portnoy believes that miscommunication and a tracking problem from Microsoft’s end could be the cause for the delay in coming up with a patch for the vulnerability that was exposed nine
Portnoy reveals that Microsoft was confused about how Peter hacked into IE8. Since Microsoft believed that the vulnerability that was exposed was non-exploitable, Peter had to spell it out and explain how it worked. Microsoft has come around to acknowledging and applauding the technology used by hackers to exploit its defenses consisting of ASLR and DEP. Portnoy believes that the hurdles in hacking placed by Microsoft will make it just harder to breach their system, not impossible. Matt Miller of the Microsoft Security Engineering Center (MSEC) backed Microsoft’s confidence in the ASLR and DEP by stating that they were strong countermeasures against random attackers despite their vulnerabilities.
The next Pwn2Own contest will be sponsored at the CanSecWest security conference again by Tipping Point. Portnoy has informed that the highlights of this contest will be related to browser and mobile exploits and more information would be released by TippingPoint soon. For researchers who manage to hack into a mobile phone’s broadband processor, Pwn2Own will be offering cash prizes. This move should help in recognizing flaws in the firmware of the chips processing phone radio signals with the help of successful exploits.