Sunday, 22 March 2015

Firefox, Chrome, Safari, IE exploited


Firefox, Safari, Chrome and Internet Explorer all fell within than a second

Security Vulnerabilities in every one of the four big browsers were exploited in a Hacking Contest to remotely execute arbitrary code on Windows PC.

But the vulnerabilities were never made public. It was disclosed privately to the concerned parties mostly the software makers to release patches as soon as possible. In the interest of public at large, the details were not disclosed.

South Korean Security Researcher Jung Hoon Lee, who ised the handle "lokihardt" won a hooping $225,000 who left Vancouver with huge bank balance.

The time-of-check to time-of-use (TOCTOU) vulnerability and a sandbox escape through privileged Javascript injection to get past Windows Security Software and pull of medium-integrity remote code execution with the same privileges as logged-in user. 

Further, the buffer overflow bug of stable and beta versions of Google Chrome were used to execute full system level remote code execution.

Later, the finale Apple's Safari was pawned. With use-after-free(UAF) vulnerability using a uninitialized stack pointer to perform remote code execution on OS X won him the contest.

The Mozilla Firefox was compromised with in a second. The out-of-bounds read/write vulnerability leading to medium-integrity code execution in the browser.

The contest was a win-win situation for the hackers and the software vendors. The people who cracked earned a decent cash while the software vendors gained by knowing the vulnerability so they can release patches for the end-user.

No comments:

Post a Comment