Menu
All major browsers fall during second day at Pwn2Own hacking contest

All major browsers fall during second day at Pwn2Own hacking contest

Researchers demonstrate remote code execution exploits against Internet Explorer, Chrome, Firefox and Safari

Security researchers demonstrated zero-day exploits against Google Chrome, Microsoft Internet Explorer, Apple Safari, Mozilla Firefox and Adobe Flash Player during the second day of the Pwn2Own hacking competition Thursday, racking up total prizes of US$450,000.

A team from French vulnerability research firm Vupen hacked Google Chrome by exploiting a use-after-free vulnerability that affects both the WebKit and Blink rendering engines. The researchers then successfully bypassed Chrome's sandbox protection to execute arbitrary code on the underlying system.

On Wednesday, the first day of the contest that takes place every year at the CanSecWest security conference in Vancouver, researchers from the same team hacked Internet Explorer 11, Firefox, Flash Player and Adobe Reader.

Another anonymous researcher presented a Chrome remote code execution exploit Thursday, but the contest judges declared it only a partial win because some details of the hack were similar to those of an exploit presented earlier at Pwnium, Google's own hacking contest that runs aside Pwn2Own.

Well known iPhone and PlayStation 3 hacker George Hotz, known online as geohot, demonstrated a remote code execution exploit against Firefox, making it the competition's fourth successful hack against Mozilla's browser. Aside from Team Vupen, security researchers Jüri Aedla and Mariusz Mlynski had also compromised Firefox during the first day of the contest by exploiting different vulnerabilities.

On Thursday, researchers Sebastian Apelt and Andreas Schmidt demonstrated a browser-based exploit against Microsoft Internet Explorer that chained together two use-after-free vulnerabilities and a Windows kernel bug to open the Windows calculator application, proving remote code execution.

Another researcher, Liang Chen of the Chinese Keen Team, combined a heap overflow vulnerability with a sandbox bypass to achieve remote code execution through Apple Safari. He and fellow researcher Zeguang Zhou of team509 then demonstrated a remote code execution exploit for Adobe Flash Player.

All the vulnerabilities exploited during Pwn2Own were shared with the vendors of the affected products.

The prizes won during the second and final day of the competition put the total contest payout to a record $850,000, not including charitable donations or the value of the test laptops won by the researchers after their successful hacks.

During a side challenge dubbed Pwn4Fun, security researchers from Google competed against researchers from Hewlett-Packard's DVLabs Zero Day Initiative (ZDI) who organize the Pwn2Own contest. The Google team hacked Apple Safari and the ZDI team hacked IE11 by combining multiple exploits. The challenge raised $82,500 for the Canadian Red Cross.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesVupenonline safetysecurityMicrosoftadobeExploits / vulnerabilitiesHewlett-PackardmozillaAppleGoogle

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments