All browsers fall at Pwn2Own but Chrome OS survives Pwnium

By on March 8, 2013, 9:32 AM

No browser was left standing at this year's Pwn2Own hacking contest. The latest versions of Microsoft's Internet Explorer, Google's Chrome, and Mozilla's Firefox all succumbed to exploits on day one, with hackers targeting a variety of zero-day vulnerabilities on each browser and Windows to hijack the underlying computer. By the end of the event at least $420,000 of the $560,000 prize fund was claimed -- almost a clean sweep.

French security firm Vupen -- which has been criticized in the past for selling exploits to governemnts -- took down IE10 on a Surface Pro tablet running Windows 8 as well as Firefox on Windows 7. The first is said to have required the most effort as it involved two separate zero-days and a full sandbox bypass, netting them an impressive $100,000. Meanwhile, Firefox fell to a zero day exploit that bypassed the browser's Address Space Layout Randomisation and the Data Execution Prevention protection in Windows for another $60,000.

In contrast with last year due to a change in the contest's rules, Vupen disclosed all the details about how they were able to exploit the vulnerabilities to each software house so they could be fixed.

Day 1 also saw Chrome 25 yield to a couple of researchers from MWR Labs, who exploited a flaw in the browser to gain code execution in the context of the sandboxed renderer process, and a kernel vulnerability in Windows 7 to gain system priviles for executing code on the machine. That was another $100,000. Interestingly, Google had pushed out fixes for 10 vulnerabilities in Chrome just before the event launched.

There was actually one browser that left the contest unscathed but that's not necessarily a reflection of its security. No researchers picked Safari on OS X as their target. It should be noted that in previous years Apple's browser has been among the first to fall, and this year there was a sizeable $65,000 bounty for an exploit, so it's inclear if there was simply no interest or if no one came up with a working hack.

Day two of Pwn2Own saw George Hotz take down Adobe Reader for $70,000, Vupen exploiting Flash for another $70,000, and not one but three Java exploits from different firms amounting to $20,000 each.

Chrome OS survives Pwnium

At the same CanSec West security conference Google also hosted its third Pwnium hacking competition from March 6 - 8, but this year the focus was on Chrome OS instead of its browser. The company promised more than $3 million in rewards and individual prizes in two different levels: $110,000 for browser or system level compromise in guest mode or as a logged-in user, delivered via a web page, and $150,000 for a compromise with device persistence (guest to guest with interim reboot) delivered via a web page.

A Google spokesperson today confirmed the Pwnium 3 hacking contest completed without a winning entry, although  partial credit was may be due to those with incomplete or unreliable exploits.

User Comments: 10

Got something to say? Post a comment
JC713 JC713 said:

Awesome. I guess people are just new to it. Maybe as it evolves it will be cracked.

m4a4 m4a4 said:

"No researchers picked Safari on OS X as their target"


Skidmarksdeluxe Skidmarksdeluxe said:

It just goes to show no browser will ever be bullet proof.

Nima304 said:

I absolutely love the idea of companies paying people to hack their products; it allows those with special skills to make large sums of money legally, and protects the consumer from exploits that otherwise might have been used against them. Props to Google as well for the massive amount of money they're throwing at this.

SNGX1275 SNGX1275, TS Forces Special, said:

Its not really 'all browers fall' if one represented (Safari) wasn't tried and Opera wasn't a choice. Maybe Opera will be involved in next years when they switch to webkit based.

tipstir tipstir, TS Ambassador, said:








I only use the first 3 but mostly Chrome and Opera. Chrome is my default. The rest just don't make it.

JC713 JC713 said:

Maxthon is garbage, very limited in my opinion. Opera is kinda boring in my opinion, hopefully with the adoption of webkit, it will improve.

St1ckM4n St1ckM4n said:

Ha, where is the Apple ad campaign saying Safari is the most secure popular browser?

2 people like this | captaincranky captaincranky, TechSpot Addict, said:

Ha, where is the Apple ad campaign saying Safari is the most secure popular browser?
Well, if you're not allowed to try, how can you say it isn't? It just works! And if it doesn't, you're holding it wrong! So there.

1 person liked this | Jay Pfoutz Jay Pfoutz, Malware Helper, said:

Maxthon is garbage, very limited in my opinion. Opera is kinda boring in my opinion, hopefully with the adoption of webkit, it will improve.

Actually, Maxthon is pretty tough/stable. Lack of add-ons don't disqualify it from being a great browser.

Opera is similar. Except, sometimes Opera can be a bit unstable about some things...notably Facebook. :P

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.