Vupen used two separate bugs – a heap overflow bug and a memory corruption bug – to compromise IE 9 and run code outside the sandbox. The heap overflow vulnerability exists in a number of versions of IE, from version 6 through IE 10, which is in consumer preview right now.
Chaouki Bekrar of Vupen said that the compromise of IE took two of his team members six weeks to find the bugs and make the exploits work.
"It was difficult because the heap overflow vulnerabilities are not very common", Bekrar told SecurityNewsDaily. "They are rare but they are useful, because you can use the same vulnerability to achieve memory leak and thus bypass ASLR [address space layout randomization]."
"Usually we need three vulnerabilities, one for DEP [data execution prevention], one for ASLR, and one for the sandbox. Here we had one that allowed us to do DEP and ASLR, which is nice", he added.
Vupen picked up 124 points with the IE 9 and Chrome exploits and was expected to win the $60,000 Pwn2Own price to be awarded on Friday.