Researchers on Wednesday cracked Microsoft's Internet Explorer 11 (IE11), Mozilla's Firefox and Adobe's Flash and Reader at the Pwn2Own hacking contest, earning $400,000 in prizes, a one-day record for the challenge.
Pwn2Own continues today, when other teams and individual researchers will take their turns trying to break Apple's Safari and Google's Chrome.
A team from Vupen, a French vulnerability research firm and seller of zero-day flaws to governments and law enforcement agencies, ended Wednesday $300,000 richer, having hacked Adobe Flash, Adobe Reader, Firefox and IE11 for a one-day foursome, another record.
Firefox was victimized a total of three times in just over six hours, once by Vupen and then two other times by researchers Mariusz Mlynski and Jüri Aedla, with each winner picking up $50,000 for their exploit.
Although Pwn2Own was originally going to offer cash prizes only to the first who hacked each target, the contest organizer, Hewlett-Packard's Zero Day Initiative (ZDI), changed the ground rules on the fly, saying early Wednesday that it would pay for all vulnerabilities used by the contestants.
With that move, ZDI, a bug bounty program that's part of HP's TippingPoint division, said it and co-sponsor Google -- the latter pitched in 25% of the prize money -- would end up paying more than $1 million if all 15 entrants, another record, were successful.
Wednesday's efforts were impressive in their own right, with each scheduled target falling to researchers within five minutes. Contestants come to Pwn2Own with zero-day vulnerabilities and exploits in their pockets, and do not find the bugs and craft attack code on-site.
"All the exploits were unique in their own way," said Brian Gorenc, manager of vulnerability research for ZDI, in an interview after the conclusion of Pwn2Own's first day. Gorenc declined to single out the most impressive or elegant exploit. "It was fascinating seeing the different ways that researchers are bypassing sandboxes and the ways they chained multiple vulnerabilities."
A "sandbox" is an anti-exploit technology deployed by some software -- Internet Explorer, Flash and Reader all rely on sandboxes -- that is designed to isolate an application so that if attackers do find a vulnerability in the code, they must circumvent, or "escape" the sandbox, to execute their malicious code on the machine. Sandbox escapes typically require chained exploits of two or more vulnerabilities.
The day's total of $400,000 nearly matched last year's Pwn2Own two-day payout of $480,000.
Vupen kicked off the day by hacking Adobe Reader, winning $75,000 for the feat.
"We've pwnd Adobe Reader XI with a heap overflow + PDF sandbox escape (without relying on a kernel flaw). Exploit reported to Adobe!," Vupen said on its Twitter account.
Next up was IE11 on a notebook running Windows 8.1, Microsoft's most-current operating system. "We've pwnd IE11 on Win 8.1 using a use-after-free combined to an object confusion in the broker to bypass IE sandbox," Vupen announced on Twitter after grabbing $100,000 for the hack.
"Use-after-free" is a term for a type of memory management bug, while "broker" is the label for the part of the sandbox that acts as the supervisor for all protected processes. A flaw in a broker, as Vupen demonstrated, can have catastrophic effects, letting a hacker escape the sandbox and execute attack code.
Vupen also exploited Adobe Flash and Firefox, Mozilla's open-source browser, winning prizes of $75,000 and $50,000, respectively.