Researchers pocket record $400K at Pwn2Own hacking contest's first day
Hack Internet Explorer, Firefox, and Adobe Flash and Reader
Computerworld - Researchers on Wednesday cracked Microsoft's Internet Explorer 11 (IE11), Mozilla's Firefox and Adobe's Flash and Reader at the Pwn2Own hacking contest, earning $400,000 in prizes, a one-day record for the challenge.
Pwn2Own continues today, when other teams and individual researchers will take their turns trying to break Apple's Safari and Google's Chrome.
A team from Vupen, a French vulnerability research firm and seller of zero-day flaws to governments and law enforcement agencies, ended Wednesday $300,000 richer, having hacked Adobe Flash, Adobe Reader, Firefox and IE11 for a one-day foursome, another record.
Firefox was victimized a total of three times in just over six hours, once by Vupen and then two other times by researchers Mariusz Mlynski and Jüri Aedla, with each winner picking up $50,000 for their exploit.
Although Pwn2Own was originally going to offer cash prizes only to the first who hacked each target, the contest organizer, Hewlett-Packard's Zero Day Initiative (ZDI), changed the ground rules on the fly, saying early Wednesday that it would pay for all vulnerabilities used by the contestants.
With that move, ZDI, a bug bounty program that's part of HP's TippingPoint division, said it and co-sponsor Google -- the latter pitched in 25% of the prize money -- would end up paying more than $1 million if all 15 entrants, another record, were successful.
Wednesday's efforts were impressive in their own right, with each scheduled target falling to researchers within five minutes. Contestants come to Pwn2Own with zero-day vulnerabilities and exploits in their pockets, and do not find the bugs and craft attack code on-site.
"All the exploits were unique in their own way," said Brian Gorenc, manager of vulnerability research for ZDI, in an interview after the conclusion of Pwn2Own's first day. Gorenc declined to single out the most impressive or elegant exploit. "It was fascinating seeing the different ways that researchers are bypassing sandboxes and the ways they chained multiple vulnerabilities."
A "sandbox" is an anti-exploit technology deployed by some software -- Internet Explorer, Flash and Reader all rely on sandboxes -- that is designed to isolate an application so that if attackers do find a vulnerability in the code, they must circumvent, or "escape" the sandbox, to execute their malicious code on the machine. Sandbox escapes typically require chained exploits of two or more vulnerabilities.
The day's total of $400,000 nearly matched last year's Pwn2Own two-day payout of $480,000.
Vupen kicked off the day by hacking Adobe Reader, winning $75,000 for the feat.
"We've pwnd Adobe Reader XI with a heap overflow + PDF sandbox escape (without relying on a kernel flaw). Exploit reported to Adobe!," Vupen said on its Twitter account.
Next up was IE11 on a notebook running Windows 8.1, Microsoft's most-current operating system. "We've pwnd IE11 on Win 8.1 using a use-after-free combined to an object confusion in the broker to bypass IE sandbox," Vupen announced on Twitter after grabbing $100,000 for the hack.
"Use-after-free" is a term for a type of memory management bug, while "broker" is the label for the part of the sandbox that acts as the supervisor for all protected processes. A flaw in a broker, as Vupen demonstrated, can have catastrophic effects, letting a hacker escape the sandbox and execute attack code.
Vupen also exploited Adobe Flash and Firefox, Mozilla's open-source browser, winning prizes of $75,000 and $50,000, respectively.
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center... All Cybercrime and Hacking White Papers | Webcasts