So we've got the juicy details now.
On the 2nd day of the the Pwn2Own contest, Vista has been owned by an unholy trinity of browser technologies:

  1. Java has been used to inject the native payload in a known executable memory area, effectively bypassing Vista's DEP.
  2. A Flash vulnerability (an unhandled exceeding function argument, maybe due to a bug in the Visual Studio compiler or linker) has been exploited for jumping to the prefilled location.
  3. JavaScript joined the party too, and my educated guess is that it just bridged the pointer location from the Java applet to the Flash object, since both are scriptable.

The full interview with Shane Macaulay (the Flash vulnerability finder) and Alexander Sotirov (of JavaScript Feng Shui fame), who helped with the Java memory preparation trick, is here.
By the way, they say JavaScript Feng Shui had been used to mount the Safari attack which brought down Mac OS X on 1st day.
Just more confirmations of who the real winner is :)

8 Responses to “Vista Gang Raped by the Browser Brothers Trio”

  1. #1 Nathan McFeters says:

    Haha, "Vista Gang Raped by the browser brothers trio", hilarious!

    Thanks for following my blog!

    -Nate

  2. #2 Giorgio says:

    @Nate:
    my pleasure ;)

  3. #3 Así cayó Windows Vista « HispaSystem Group Blog says:

    [...] Vista Gang Raped by the Browser Brothers Trio [Hackademix]. [...]

  4. #4 hackademix.net » United Nations, I Hate to Say I Told You So says:

    [...] Well, since modern browsers embed a lot of “other applications” which are usually quite vulnerable, maybe a good idea (actually the only sane idea, other than reverting to Lynx) is switching to a [...]

  5. #5 hackademix.net » Block Rick! says:

    [...] more worrisome, though, if you used to believe FlashBlock could improve your security against Flash vulnerabilities. Your next surprise video star may be way more malicious than [...]

  6. #6 hackademix.net » Firefox Users Are The Safest says:

    [...] of this study is that nothing could be said about browser plugins, universally recognized as an endless source of security pain. Even on this side, though, Firefox has some clear advantages: plugins can be [...]

  7. #7 Interview With the Mind Behind NoScript | Firefox Facts says:

    [...] virtual machines and JIT compilation, and therefore they need write access on executable memory) to bypass the additional protections put up by latest OSes and browsers. That’s why NoScript blocks Java, Flash and all the other plugins on sites you don’t [...]

  8. #8 hackademix.net » Browser Plugins, Add-Ons and Security Advisers says:

    [...] ones (like Flash or Java) are often used in combination with JavaScript to prepare memory for attacks working around protection features deployed by modern OSes. That’s why one of the major features of NoScript is blocking plugin content from untrusted [...]

Bad Behavior has blocked 951 access attempts in the last 7 days.