No browser was left standing at this year's Pwn2Own hacking contest. The latest versions of Microsoft's Internet Explorer, Google's Chrome, and Mozilla's Firefox all succumbed to exploits on day one, with hackers targeting a variety of zero-day vulnerabilities on each browser and Windows to hijack the underlying computer. By the end of the event at least $420,000 of the $560,000 prize fund was claimed -- almost a clean sweep.
French security firm Vupen -- which has been criticized in the past for selling exploits to governemnts -- took down IE10 on a Surface Pro tablet running Windows 8 as well as Firefox on Windows 7. The first is said to have required the most effort as it involved two separate zero-days and a full sandbox bypass, netting them an impressive $100,000. Meanwhile, Firefox fell to a zero day exploit that bypassed the browser's Address Space Layout Randomisation and the Data Execution Prevention protection in Windows for another $60,000.
In contrast with last year due to a change in the contest's rules, Vupen disclosed all the details about how they were able to exploit the vulnerabilities to each software house so they could be fixed.
Day 1 also saw Chrome 25 yield to a couple of researchers from MWR Labs, who exploited a flaw in the browser to gain code execution in the context of the sandboxed renderer process, and a kernel vulnerability in Windows 7 to gain system priviles for executing code on the machine. That was another $100,000. Interestingly, Google had pushed out fixes for 10 vulnerabilities in Chrome just before the event launched.
There was actually one browser that left the contest unscathed but that's not necessarily a reflection of its security. No researchers picked Safari on OS X as their target. It should be noted that in previous years Apple's browser has been among the first to fall, and this year there was a sizeable $65,000 bounty for an exploit, so it's inclear if there was simply no interest or if no one came up with a working hack.
Day two of Pwn2Own saw George Hotz take down Adobe Reader for $70,000, Vupen exploiting Flash for another $70,000, and not one but three Java exploits from different firms amounting to $20,000 each.
Chrome OS survives Pwnium
At the same CanSec West security conference Google also hosted its third Pwnium hacking competition from March 6 - 8, but this year the focus was on Chrome OS instead of its browser. The company promised more than $3 million in rewards and individual prizes in two different levels: $110,000 for browser or system level compromise in guest mode or as a logged-in user, delivered via a web page, and $150,000 for a compromise with device persistence (guest to guest with interim reboot) delivered via a web page.
A Google spokesperson today confirmed the Pwnium 3 hacking contest completed without a winning entry, although partial credit was may be due to those with incomplete or unreliable exploits.