Pwn2Own hacking contest winds down after paying a record $480K
Google, Mozilla rush out fixes for flaws revealed by researchers
Computerworld - A day after researchers hacked Chrome and Firefox at the Pwn2Own contest, Google and Mozilla patched their browsers Thursday.
The contest also wound down yesterday after hackers had earned a record $480,000 over two days.
The update to Chrome 25 came about 24 hours after two researchers from U.K. firm MWR InfoSecurity exploited multiple bugs in the browser and Windows 7. In exchange for their attack code and vulnerabilities, Nils -- a German who goes only by his first name -- and Jon Butler were awarded $100,000 by Pwn2Own organizer HP TippingPoint and its Zero Day Initiative (ZDI) bug bounty program.
The quick turn-around nearly matched last year's, when Google patched several Chrome vulnerabilities in under 24 hours after researchers unveiled them at a company-sponsored contest.
Mozilla also patched its Firefox browser on Thursday, closing a hole unveiled by a team from Vupen, a French vulnerability research and exploit-selling company. The team's exploit resulted in a cash prize of $60,000, the laptop used to host Firefox and other fringe benefits.
"We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users," said Michael Coates, Mozilla's director of security assurance, in a Thursday blog.
Mozilla had been expecting to patch Firefox, and had prepped for what it calls a "chemspill," or emergency update, before Pwn2Own began.
Firefox 19.0.2, like Chrome 25, has already been pushed to users, most of whom receive it automatically through the browser's in-the-background update mechanism.
The other browser hacked Wednesday at Pwn2Own, Microsoft's Internet Explorer 10 (IE10), has not yet been patched. It's possible, but very unlikely given Microsoft's practices, that a fix will be included in March 12's Patch Tuesday.
On Twitter, Vupen's CEO and head of research, Chaouki Bekrar, said that the exploit his team deployed works against IE10 both on the "classic" desktop in Windows 8 as well as the browser for the tile-based user interface (UI) dubbed "Modern" by Microsoft but still referred to as "Metro" by most outsiders.
On Thursday, Pwn2Own continued with the Vupen team researchers successfully exploiting the Adobe Flash Player browser plug-in. George Hotz, a 23-year-old best known for "jailbreaking" the iPhone and the Sony PlayStation 3 -- and now being sued by Sony for the latter -- later brought down Adobe Reader. Vupen and Hotz each received $70,000 for their Adobe vulnerabilities and hacks.
Oracle's Java was also hacked yesterday by Ben Murphy, making a total of four exploits of the under-assault software that's plagued users with a rash of "out-of-band," or emergency, updates this year. Murphy, like each of the others who cracked Java, earned $20,000.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts