This year’s Pwn2Own hacker conference is currently underway in Vancouver, and as always one of the main events involves taking down fully-patched Web browsers running on fully patched operating systems. Of the three browsers put through their paces on Wednesday, only Google Chrome 10 is still standing – Internet Explorer 8 and Safari 5.0.3 both fell victim to exploits. Hackers hadn’t yet started in on Mozilla Firefox or any smartphone browsers. No mention was made of Internet Explorer 9, due out later this month.

Stephen Fewer, the Harmony Security employee who successfully brought down IE 8, used three different vulnerabilities: two to circumvent Windows 7′s ASLR and DEP memory protections, and a third to break outside of the Protected Mode sandbox and interface with the main operating system, where he was able to create files representing malware on the compromised system. The exploit, which took several weeks to develop, is the first Pwn2Own exploit to successfully circumvent a browser sandbox.

Browser makers are taking Pwn2Own increasingly seriously – though Microsoft didn’t patch IE8 this month, Firefox 3.6, Safari 5, and Chrome have all seen new security updates released in the last week in anticipation of the conference. For all of that effort, Chrome is the only browser that hasn’t ever been been breached at the conference, though it’s worth noting that the only guy slated to try breaking into Chrome this year didn’t show up.

Fewer, a first-time Pwn2Own contestant, was given $15,000 and a Sony Vaio laptop for his efforts.

Source: Computerworld