Archive for April 2nd, 2008

So we've got the juicy details now.
On the 2nd day of the the Pwn2Own contest, Vista has been owned by an unholy trinity of browser technologies:

  1. Java has been used to inject the native payload in a known executable memory area, effectively bypassing Vista's DEP.
  2. A Flash vulnerability (an unhandled exceeding function argument, maybe due to a bug in the Visual Studio compiler or linker) has been exploited for jumping to the prefilled location.
  3. JavaScript joined the party too, and my educated guess is that it just bridged the pointer location from the Java applet to the Flash object, since both are scriptable.

The full interview with Shane Macaulay (the Flash vulnerability finder) and Alexander Sotirov (of JavaScript Feng Shui fame), who helped with the Java memory preparation trick, is here.
By the way, they say JavaScript Feng Shui had been used to mount the Safari attack which brought down Mac OS X on 1st day.
Just more confirmations of who the real winner is :)

Bad Behavior has blocked 924 access attempts in the last 7 days.