Internet Explorer 8 (IE8) has been hacked before it had even been officially launched.
The exploit, by German researcher hacked into exploit, however, didn't earn him the attention of the authorities but $5,000(£3,445) and a Sony Viao laptop.
The hacker, who only gave his name as Nils, cracked the browser during the PWN2OWN contest held at the CanSecWest event in Canada. He broke into the Sony within minutes by exploiting a previously-unknown vulnerability in the new browser, said , said Terri Forslof, manager of security response at 3Com's TippingPoint, the contest sponsor. The laptop was running what Forslof described as a "recent Microsoft internal build" of Windows 7.
"It was important for Microsoft to see that bug right away," said Forslof today. "There are cases in product development where you might have a vulnerability so critical that [the vendor] makes the call to actually block the release. Microsoft needed to see that and evaluate that vulnerability."
TippingPoint purchases the vulnerabilities and the rights to the exploits when it awards cash prizes during PWN2OWN. At that point, it hands over the information to the vendor.
"This is the awesome part of PWN2OWN," said Forslof. "Microsoft got to stand there and watch it happen. They were right at ground zero." Within five minutes of Nils hacking IE8, TippingPoint had provided details and code to Mike Reavey, operations manager for the Microsoft Security Research Centre (MSRC), who was at CanSecWest, the Vancouver, British Columbia security conference that hosts PWN2OWN. "They took it back to Microsoft and filed a bug," Forslof said. "That's a real success story. Microsoft had the opportunity to talk directly with Nils about the bug, and within five hours they had it reproduced in their labs."
Microsoft was unavailable for comment Thursday about the IE8 vulnerability.
IE8 wasn't the only browser Nils hacked yesterday, however. After he took down IE8, he moved on to Apple's Safari and Mozilla's Firefox, both of which he successfully exploited with attack code he had created earlier. His total for the afternoon: $15,000 in cash from TippingPoint, and the Sony.
"It was insane compared to last year," said Forslof, noting that at 2008's PWN2OWN, there were just two vulnerabilities disclosed. "Nils hit the IE8 vulnerability and everybody thought that was it. Then he comes back and says 'Do you mind if I try my Safari vulnerability? Oh, and by the way, I also have a Firefox bug'."
"After just two hours, we had four browser vulnerabilities and we'd paid out $20,000," Forslof said.
Before Nils took his shot at IE8, Charlie Miller successfully defended his title as PWN2OWN's 2008 first prize winner by hacking Safari within seconds. Miller, who said he had been "really nervous" this year because of the crush of spectators, walked away with $5,000 and a MacBook notebook.
By the rules of the contest and TippingPoint's policies, details of the vulnerabilities are kept confidential until the vendor releases a patch. "We'll go through our normal investigations," said Forslof, "and we'll work in close coordination with the vendors."
TippingPoint is one of two security companies with a bug bounty programme. The company's Zero Day Initiative, or ZDI, cash-for-crashes program does not disclose what it pays for a vulnerability, but in the past it has offered bonuses as large as $20,000.
The PWN2OWN contest wraps up tomorrow, with browsers from Microsoft, Mozilla, Apple and Google still fair game. A second part of the challenge pits hackers against five smartphone operating systems: Windows Mobile, Google's Android, Symbian, and the OSes used by the iPhone and the BlackBerry.
Follow highlights from ComputerworldUK on Twitter