Researchers rake in $280K at Pwn2Own hacking contest
Teams hack IE10, Chrome 25, Firefox 19 and Java 7 as eighth Pwn2Own gets off to an impressive start
Computerworld - Research teams Wednesday cracked Microsoft's Internet Explorer 10 (IE10), Google's Chrome and Mozilla's Firefox at the Pwn2Own hacking contest, pulling in more than $250,000 in prizes.
Earlier in the day, a solo hacker exploited Oracle's Java to win $20,000.
Vupen, a French vulnerability research and bug-selling firm that took first place at Pwn2Own last year, brought down IE10 running on a Windows 8 powered Surface Pro tablet by exploiting a pair of flaws.
"We've pwned [Microsoft's] Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass," Vupen announced on Twitter Wednesday afternoon.
HP TippingPoint, whose Zero Day Initiative (ZDI) bug bounty program is co-sponsoring Pwn2Own this year -- Google has also pumped money into the contest -- confirmed the Vupen hack in a tweet of its own.
According to Pwn2Own's rules, which were dramatically revised from 2012's challenge, the first researcher or team of researchers to hack IE10 on Windows 8 wins a $100,000 cash prize, plus the machine hosting the browser target.
Toward the end of the day, Vupen followed up with an exploit of Firefox 19 on Windows 7, collecting another $60,000.
Pwn2Own started Wednesday at the CanSecWest security conference in Vancouver, British Columbia, and will run through Friday.
Also on Wednesday, a two-man team from MWR Labs, an arm of UK-based MWR InfoSecurity, hacked Chrome 25 on Windows 7 by exploiting multiple "zero-day," or unpatched, vulnerabilities in the browser and operating system.
Like the Vupen hack of IE10, MWR Labs' exploit of Chrome resulted in a complete bypass of Windows anti-exploit "sandbox" technology. The MWR Labs researchers who found the bugs, built the exploits and demonstrated their skills at Pwn2Own were Nils -- a young German who is known only by his first name -- and Jon Butler. Nils has a Pwn2Own history: He won $10,000 by hacking Mozilla's Firefox in 2010, and $15,000 the year before for exploiting Firefox, IE8 and Apple's Safari.
Nils and Butler described their Chrome hack in a brief blog post Wednesday, outlining how they defeated Windows' security defenses, including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
For their work, Nils and Butler received $100,000.
At the opening of the contest, a pair of solo researchers -- James Forshaw, a principal consultant at Context Information Security in the U.K., and Joshua Drake of Accuvant -- exploited Oracle's Java. Forshaw, who took his jabs first, won $20,000, Pwn2Own's lowest-priced prize. Vupen also successfully hacked Java 7 with a vulnerability and exploit of its own.
In a departure from the original rules, ZDI said that it would purchase all successful vulnerabilities and their associated exploits from researchers, even those that were not awarded prizes. It did not say how much hackers would earn by selling such secondary flaws: ZDI and other bug bounty programs typically are tight-lipped about what they pay.
Several prizes went unclaimed Wednesday, including the two $70,000 awards for Adobe's Flash Player and Adobe Reader on Windows 7, and the $65,000 check for Safari on OS X Mountain Lion. Flash and Reader are slated to be attacked today.
Google's own contest, Pwnium 3, kicks off Thursday at CanSecWest when Chrome OS -- the search giant's browser-based operating system -- will be targeted by researchers. Pwnium 3 is notable for the $3.14 million Google has set aside for potential awards, and for the individual prizes of as much as $150,000 for each successful exploit.
This is Pwn2Own's eighth year, but the total prize pool of more than a half-million dollars is a record for the contest.
More information about Pwn2Own can be found on TippingPoint's blog.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+, or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts