Menu
All major browsers hacked at Pwn2Own contest

All major browsers hacked at Pwn2Own contest

Adobe Reader and Flash Player fell as well

Security researchers who participated in the Pwn2Own hacking contest this week demonstrated remote code execution exploits against the top four browsers, and also hacked the widely used Adobe Reader and Flash Player plug-ins.

On Thursday, South Korean security researcher and serial browser hacker JungHoon Lee, known online as lokihardt, single-handedly popped Internet Explorer 11 and Google Chrome on Microsoft Windows, as well as Apple Safari on Mac OS X.

He walked away with US$225,000 in prize money, not including the value of the brand new laptops on which the exploits are demonstrated and which the winners get to take home.

The Pwn2Own contest takes place every year at the CanSecWest security conference in Vancouver, Canada, and is sponsored by Hewlett-Packard's Zero Day Initiative program. The contest pits researchers against the latest 64-bit versions of the top four browsers in order to demonstrate Web-based attacks that can execute rogue code on underlying systems.

Lee's attack against Google Chrome earned him the largest payout for a single exploit in the history of the competition: $75,000 for the Chrome bug, an extra $25,000 for a privilege escalation to SYSTEM and another $10,000 for also hitting the browser's beta version -- for a total of $110,000.

The IE11 exploit earned him an additional $65,000 and the Safari hack $50,000.

Lee's accomplishment is particularly impressive because he competed alone, unlike other researchers who teamed up, HP's security research team said in a blog post.

Also on Thursday, a researcher who uses the hacker handle ilxu1a popped Mozilla Firefox on Windows for a $15,000 prize. He also attempted a Chrome exploit, but ran out of time before he managed to get his attack code working.

Mozilla Firefox was also hacked Wednesday, during the first day of the competition, by a researcher named Mariusz Mlynski. His exploit also leveraged a Windows flaw to gain SYSTEM privileges, earning him a $25,000 bonus on top of the standard $30,000 payout for the Firefox hack.

Earlier that same day Chinese researchers from Team509 and KeenTeam joined forces to exploit Flash Player running in Internet Explorer 11 on Windows. They also combined their attack with a privilege escalation flaw in the Windows kernel, for a total prize of $85,000.

The KeenTeam researchers, joined by Jun Mao from Tencent PC Manager, later hacked Adobe Reader in IE11 and topped their attack with a SYSTEM privilege escalation for another $55,000 prize.

Adobe Reader and Flash Player were also successfully hacked by Nicolas Joly, who competed for French security firm Vupen in the past. He walked away with a $90,000 prize for his exploits.

Most of the attacks demonstrated at Pwn2Own this year required chaining of several vulnerabilities together in order to bypass all defense mechanisms put in place in operating systems and browsers to prevent remote code execution.

The final count for vulnerabilities exploited this year stands as follows: five flaws in the Windows OS, four in Internet Explorer 11, three each in Mozilla Firefox, Adobe Reader, and Flash Player, two in Apple Safari and one in Google Chrome. All bugs were reported to the affected vendors after the contest, as part of the competition's rules.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityMicrosoftGoogleAppleHewlett-Packardmozillaonline safetypatchesExploits / vulnerabilitiesDesktop security

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments