Pwn2own 2011 day 1: Safari and IE8 fall [Update: IE9 fixed]

At the annual pwn2own competition, where hackers lineup to show off their security-cracking skills on a number of software and hardware devices, both Safari and Internet Explorer 8 were successfully exploited due to a zero-day flaw in the software. The competition was hosted in Vancouver B.C., Canada, where ZDnet managed to get some talk time with the hackers.

The first to fall, was Safari on a MacBook Pro running a fully patched Mac OS X Snow Leopard (64-bit). The hacker exploited Safari by opening a compromised website, successfully launching a calculator on the machine.

VUPEN security was the team that successfully hacked Safari. The security firm said that the vulnerability exists in WebKit, and took just two weeks to write a script that can 'own' a Mac user.

Next on the list, was Internet Explorer 8, running on a fully patched Windows 7 SP1 (64-bit). Stephen Fewer, the Irish security researcher who successfully hacked Internet Explorer 8 used three different vulnerabilities found in the software to launch the calculator (calc.exe) application.

Both of the Safari and IE8 exploits required the hacker to not only bypass DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), but required the hacker to launch the calculator on the compromised machine.

Update: Microsoft have confirmed that the same security vulnerability is patched in IE9, which is due for release on Monday.