Fully patched versions of Safari and Internet Explorer 8 were both successfully hacked today at pwn2own, the annual hacking competition held as part of the CanSecWest security conference. If a researcher can pwn the browser—that is, make it run arbitrary code—then they get to own the hardware the browser runs on. This year, not only did they have to run arbitrary code, they also had to escape any sandboxes—restricted environments with reduced access to data and the operating system—that are imposed.

First up, and first to fall, was Safari 5.0.3 on fully-patched Mac OS X 10.6.6. French security firm VUPEN was first to attack the browser, and five seconds after the browser visited its specially-crafted malicious web page, it had both launched the platform calculator application (a standard harmless payload to demonstrate that arbitrary code has been executed) and wrote a file to the hard disk (to demonstrate that the sandbox had been bypassed).

Speaking afterwards, VUPEN co-founder Chaouki Bekrar said that the exploit was somewhat difficult to pull off—and not because WebKit, the rendering engine that's at the heart of both Safari and Chrome, is lacking in vulnerabilities. Rather, exploitation was complicated by the fact that exploit techniques for 64-bit Safari are not widely documented. The techniques that the researchers used to bypass operating system protections like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are well-known, but the specific use and adaptation of these techniques on 64-bit Safari is unusual and required developing tools and attack code from scratch. Per the rules of the competition, full details of the pwn2own attacks, including the bypass techniques, won't be published until vendors have issued patches. Bekrar said that in total, a team of three researchers took two weeks to assemble the successful exploit.

Historically, the competition has required competitors to use the newest version of the browser and operating system. Perhaps aware of this, Apple released Safari 5.0.4 a day ahead of the competition, patching some 60 security holes in the browser. However, this year the rules have been altered: the configuration was frozen a week ago, hence the competition being run against Safari 5.0.3. Under the new rules, pwning (and hence owning) only needs to succeed on the frozen version. However, to receive prize money (in addition to the hardware), the flaw must also exist in the newest release.

In VUPEN's case, the team will be winning both the hardware and the money. In spite of Apple's last-minute patch, their attack still works.

Next to fall was 32-bit Internet Explorer 8 on 64-bit Windows 7 Service Pack 1, beaten by security researcher Stephen Fewer of Harmony Security. Just as with Safari, the first contestant to attack the browser was successful in exploiting it, and just as with Safari, this was demonstrated by running Windows' calculator program and writing a file to the hard disk. Fewer says that the successful exploit required use of three separate vulnerabilities: two to achieve successful code execution within the browser, and then a third to escape Internet Explorer's Protected Mode sandbox. Putting together the successful attack took Fewer five to six weeks.

Microsoft, unlike Apple, opted not to include any Internet Explorer patches in last week's Patch Tuesday event.

The third browser to be tested was scheduled to be Chrome. However, the contestant registered to attempt the attack did not show up, so the browser remains unbeaten. One possible reason for this is that Google published a Chrome update yesterday, closing at least 24 security flaws. The prizes in the Chrome test were different from the others, with worse hardware (a ChromeOS Cr-48 laptop) and more prize money ($20,000 instead of $15,000) available. The would-be Chrome attacker may have been depending on one of the flaws patched this week to attack the browser, and may have lost interest once the money was off the table.

The time taken to develop working exploits shows that operating system-level protections like DEP and ASLR are useful tools. Finding security flaws in the browser is one thing; turning it into a useful attack that will succeed on up-to-date systems is quite another. But though the protection mechanisms make the job of exploiting flaws harder, they're plainly not impervious. Motivated attackers will find a way through the protection. The days of overnight hacks may be behind us—at the first pwn2own in 2007, an exploitable Safari flaw was discovered in five hours and a reliable exploit developed in just four hours—but successful hacks will continue to be an issue.

On trial Thursday is the last major browser, Mozilla Firefox. Following that is a quartet of smartphones: iPhone, Blackberry OS, Android, and Windows Phone 7 will all be subject to scrutiny.