Pwn2Own Exploit Breaches Top-Secret US Lab

Dan Goodin points out the correlation in The Reg

The security breach at the Oak Ridge National Laboratory is at least the second time since 2007 that computers have been hacked when employees were duped by phishing emails. The most recent compromise was initiated by messages that were manipulated so that they appeared to come from the lab’s Human Resource Department, The Knoxville News Sentinel reported.

According to a follow-up post, a link included in the fraudulent email, which first entered the lab’s systems on April 7, exploited a critical vulnerability in IE that Microsoft fixed last Tuesday. It was the same bug that fetched a security researcher a $15,000 prize in the recent Pwn2Own hacking contest.

The Pwn2Own exploit was announced March 10, 2011.

Microsoft has fortified IE with a security sandbox that isolates it from more sensitive parts of the operating system, so Fewer had to exploit a design flaw in to break out.

“The (sandbox) escape I found was pretty easy, to be honest,” he said. “Surprisingly so.”

In all, he said it took him about six weeks of full-time research to find the bugs and write working exploits for them.

So, six weeks to write a working “use-after-free bug” exploit from scratch and then less than three weeks from release to breach of a “top-secret” facility.

There definitely is some need for analysis of the social engineering aspects of the attack, but another really interesting angle is related to how Microsoft left customers exposed for a month before it released the patch for the Pwn2Own vulnerability — Security Bulletin MS11-018, April 12, 2011.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.