Pwn2Own competition results
March 15, 2014

Hackers Exploit All Four Major Browsers During Pwn2Own Competition

redOrbit Staff & Wire Reports - Your Universe Online

All four of the major Internet browsers were among the programs that fell victim to zero-day exploits during the HP-sponsored Pwn2Own hacking competition, various media outlets reported earlier this week.

According to CNET’s Seth Rosenblatt, Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox and Adobe’s Flash and Reader browser plug-ins were programs cracked by eight research teams participating in the two-day Pwn2Own event, which ended Thursday at the CanSecWest conference in Vancouver, Canada.

A total of 12 successful attacks were launched during this week’s events, revealing a total of 35 individual exploits during the semiannual competition which was founded in 2007 and is organized by HP’s Zero Day Initiative. Pwn2Own challenges hacking teams to demonstrate security vulnerabilities in Web browsers and streaming video software, Dune Lawrence of Bloomberg Businessweek explained.

Leading the way was Team Vupen of Vupen Security, which set a new event record by earning $400,000. Vupen Security develops vulnerabilities, then markets them to governments and intelligence agencies for cyberattacks or espionage efforts. They infiltrated Chrome using a “use-after-free vulnerability” affecting the WebKit and Blink rendering engines, PC World’s Lucian Constantin explained.

“The major value of Pwn2Own is to show that even the most secure software can be compromised by a team of researchers with enough resources,” Vupen Security CEO Chaouki Bekrar told CNET. “Since we report the vulnerabilities to the vendors, they fix the flaws and [then] they harden the browser to prevent future attacks.”

“It highlights some of the impact we’ve had in the software industry at beginning to really build better security,” Jacob West, chief technology officer for enterprise security products at HP, told Bloomberg. “Attackers are having to develop more complex exploits involving more individual vulnerabilities and more complex connections between them than they would have in the past.”

A Chinese contingent known as Keen Team earned $65,000 for hacking Apple Safari and co-hacking Adobe Flash, Rosenblatt said. They announced that they would be donating some of their winnings to a Chinese charity for the individuals onboard the missing Malaysian Airlines flight MH370.

“Another anonymous researcher presented a Chrome remote code execution exploit Thursday, but the contest judges declared it only a partial win because some details of the hack were similar to those of an exploit presented earlier at Pwnium, Google’s own hacking contest that runs aside Pwn2Own,” Constantin said.

“Well known iPhone and PlayStation 3 hacker George Hotz - known online as "geohot" - demonstrated a remote code execution exploit against Firefox, making it the competition’s fourth successful hack against Mozilla’s browser,” he added. “Security researchers Jüri Aedla and Mariusz Mlynski had also compromised Firefox during the first day of the contest by exploiting different vulnerabilities.”

On Thursday, the second day of the conference, investigators Sebastian Apelt and Andreas Schmidt identified and demonstrated a browser-based exploit that compromised Internet Explorer. Their vulnerability involved combining a pair of use-after-free vulnerabilities and a Windows kernel bug to gain access to the Windows calculator application – demonstrating an effective remote code execution method.

Another researcher, Liang Chen of the Chinese Keen Team, combined a heap overflow vulnerability with a sandbox bypass to achieve remote code execution through Apple Safari. He and fellow researcher Zeguang Zhou of team509 then demonstrated a remote code execution exploit for Adobe Flash Player.

In addition, hackers were able to earn $82,500 for the Canadian Red Cross as part of the new Pwn4Fun charity contest, including Pwn2Own co-sponsor Google discovering Apple Safari vulnerabilities for a sum of $32,500 and the Zero-Day Initiative nailing Internet Explorer for $50,000, Constantin and Lawrence said.