The annual Pwn2Own hacking contest is wrapping up after paying nearly half a million dollars in cash prizes. Researchers successfully hacked Firefox, Internet Explorer, Chrome, Java and Adobe plug-ins during the event.
Robert Lemos with eWeek reported, “Security researchers claimed nearly $500,000 in bounties for demonstrating previously unknown–or zero-day–attacks against all major browsers and three popular browser plugins at the annual Pwn2Own competition at the CanSecWest conference in Vancouver, British Columbia. The three-day contest, which ends on March 8, requires that security professionals play the role of attackers and compromise fully patched versions of popular browsers running on Windows 8 and Mac OS X. After a successful attack, which requires that the researcher gain control over the target system, the contestants must turn over the details of the vulnerability to Hewlett-Packard’s Zero Day Initiative (ZDI), which runs the competition. Those details are then passed to vendors to be patched.”
Computerworld’s Greg Keizer added, “A day after researchers hacked Chrome and Firefox at the Pwn2Own contest, Google and Mozilla patched their browsers Thursday. The contest also wound down yesterday after hackers had earned a record $480,000 over two days.”
TechSpot’s Jose Vilches noted, “No browser was left standing at this year’s Pwn2Own hacking contest. The latest versions of Microsoft’s Internet Explorer, Google’s Chrome, and Mozilla’s Firefox all succumbed to exploits on day one, with hackers targeting a variety of zero-day vulnerabilities on each browser and Windows to hijack the underlying computer.”
InformationWeek’s Matthew J. Schwartz observed, “But the prize money on offer is reportedly still a fraction of what a top-notch exploit commands on the open market. Accordingly, why bother participating? SecurityWeek’s Ryan Naraine put that question to Chaouki Bekrar, CEO of Vupen, which fielded employees who successfully exploited the latest version of Microsoft Internet Explorer 10 running on Windows 8, using an exploit that silently bypassed all built-in attack-mitigation techniques, including DEP and ASLR, as well as the IE10 sandbox. Bekrar replied that his goal was to advertise his business’s skill at creating ‘weaponized exploits.’ ‘The aim for us by coming here to Pwn2Own is to show that even the newest technologies, the newest operating systems, the newest browsers, can get pwned,’ he said.”