Internet Explorer

  • September 24, 2012

    Pwn2Own 2012 Results

    Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference and began in 2007.  Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. For 2012 the rules were changed to a capture-the-flag style competition with a point system.  Google withdrew from sponsorship of the event because the 2012 rules did not require full disclosure of exploits from winners. When Pwn2Own 2012 concluded we saw Chrome, Internet Explorer, and Firefox all being compromised Apple’s Safari was the only browser to be left standing.  This was the first year Chrome got hacked it’s been untouchable up till this year. The list of exploits we saw used and executed were CVE-2010-3346 (Internet Explorer) CVE-2009-3077 (Firefox) CVE-2011-0115 (Safari) CVE-2010-0050 (Safari) CVE-2010-0248 (Internet Explorer) CVE-2010-2752 (Firefox) There was another pwn2own this year the Zero Day Initiative (ZDI) sponsored by RIM and AT&T is taking place in Amsterdam.  Where hackers were asked to compromise 4 devices BlackBerry Bold 9930 Samsung Galaxy SIII Nokia Lumia 900 Apple iPhone 4S Using exploits of Mobile Web Browsers Near Field Communication (NFC) Short Message Service (SMS) Cellular Baseband What we learned from this information is the iPhone 5 is vulnerable to the same attack that successfully breached an iPhone 4S at the mobile Pwn2Own hacker contest.  A fully patched iPhone 4S device was compromised and contacts, browsing history, photos and videos were stolen from the phone. The iPhone took an epic hit when an exploit was built for the vulnerability in WebKit to beat Apple’s code-signing features and the MobileSafari sandbox. The same bug is present in the iOS6 Golden Master development code base, which means iPhone 5 is also vulnerable to the same exploit. Apple iPads and iPod Touch devices are also vulnerable. The Samsung Galaxy S3 can be hacked via NFC allowing attackers to download...
  • September 18, 2012

    Microsoft Internet Explorer Security Flaw

    Microsoft discovered a bug or as us techies call it zero day vulnerability in the Internet Explorer web browser.  The bug makes PCs vulnerable to attacks by hackers and malicious code.  The security flaw affects hundreds of millions of Internet Explorer browser users.  Microsoft said attackers can exploit the bug to infect the PC of somebody who visits a malicious website and then take control of the victim’s computer. All but one supported edition of IE is affected: 2001’s IE6, 2006’s IE7, 2009’s IE8 and last year’s IE9. Together, those browsers accounted for 53% of all browsers used worldwide.  The only exception is  IE10, the browser bundled with the new Windows 8, which does not contain the bug. Windows users are advised to switch from Internet Explorer to Chrome, Firefox or Opera until the bug is patched.  Microsoft did not say how long that will take, but several security researchers said they expect the update within a week.  The when Microsoft patches it will be rated “critical” the company’s highest threat ranking. Update: Microsoft will be releasing an out of band “critical” patch on Friday at close to 10 a.m. PT to patch this vulnerability.