02
04
2008
Vista Gang Raped by the Browser Brothers Trio
Posted by: Giorgio in Flash, Java, SecuritySo we’ve got the juicy details now.
On the 2nd day of the the Pwn2Own contest, Vista has been owned by an unholy trinity of browser technologies:
- Java has been used to inject the native payload in a known executable memory area, effectively bypassing Vista’s DEP.
- A Flash vulnerability (an unhandled exceeding function argument, maybe due to a bug in the Visual Studio compiler or linker) has been exploited for jumping to the prefilled location.
- JavaScript joined the party too, and my educated guess is that it just bridged the pointer location from the Java applet to the Flash object, since both are scriptable.
The full interview with Shane Macaulay (the Flash vulnerability finder) and Alexander Sotirov (of JavaScript Feng Shui fame), who helped with the Java memory preparation trick, is here.
By the way, they say JavaScript Feng Shui had been used to mount the Safari attack which brought down Mac OS X on 1st day.
Just more confirmations of who the real winner is :)
April 2nd, 2008 at 10:12 pm
Haha, “Vista Gang Raped by the browser brothers trio”, hilarious!
Thanks for following my blog!
-Nate
April 2nd, 2008 at 10:22 pm
@Nate:
my pleasure ;)
April 3rd, 2008 at 10:59 pm
[…] Vista Gang Raped by the Browser Brothers Trio [Hackademix]. […]
April 23rd, 2008 at 11:56 am
[…] Well, since modern browsers embed a lot of “other applications” which are usually quite vulnerable, maybe a good idea (actually the only sane idea, other than reverting to Lynx) is switching to a […]