Internet Explorer 9 was the second browser to succumb to white-hat hackers during the Pwn2Own contest at the CanSecWest security conference in Vancouver.

A team of vulnerability researchers from French security firm VUPEN Security exploited a pair of previously unknown vulnerabilities in the latest version of Microsoft's browser yesterday.

The attack was demonstrated on a fully patched 64-bit Windows 7 with Service Pack 1 system in the annual Pwn2Own competition sponsored by TippingPoint's Zero Day Initiative (ZDI) programme.

Chrome exploit

The rules have changed for this year's Pwn2Own contest, its focus shifting from who can hack a browser faster, as it was in previous editions, to who can write the highest number of reliable exploits.

VUPEN also managed a zero-day exploit against Google Chrome earlier in the week and a similar one against Internet Explorer 9 yesterday. The team claims to have similar exploits for Apple's Safari and Mozilla Firefox.

VUPEN's Internet Explorer 9 exploit leveraged two vulnerabilities - a remote code execution (RCE) that bypassed the browser's anti-exploitation mechanisms like DEP (Data Execution Prevention) or ASLR (address space layout randomisation) and one that bypassed its post-exploitation defence, commonly known as the sandbox, or Protected Mode in Internet Explorer's case.

IE Protected Mode

The Internet Explorer 9 Protected Mode limits what attackers can do on the OS once they exploit a RCE vulnerability inside the browser. However, according to security researchers, IE's Protected Mode is less restrictive than Google Chrome's sandbox. This is expected to improve with Internet Explorer 10 on Windows 8.

It's also worth noting that the order in which browsers get attacked at this year's Pwn2Own contest has nothing to do with difficulty. Participating researchers come with their zero-day exploits prepared in advance and the order in which they demonstrate them is purely a matter of personal choice rather than an indication of one browser being harder to hack than another.

The zero-day RCE vulnerabilities are shared with TippingPoint, but not the sandbox-escape ones, which are considered highly valuable and rare. The organisers will share the details with the affected vendors after the contest is over.