Record prizes for Pwn2Own and Pwnium contestants
Posted on 13 March 2014.
The results of the first day of the traditional Pwn2Own hacking contest at the CanSecWest Conference currently taking place in Vancouver are in, and the losers are Adobe, Microsoft and Mozilla.


The team from French security firm and vulnerability/exploit vendor Vupen have raked in $300,000 by cracking Adobe Reader ($75,000), MS Internet Explorer 11 ($100,000), Adobe Flash ($75,000), and Mozilla Firefox ($50,000).

Firefox was compromised two more times on the same day by security researchers Mariusz Mlynski and Jüri Aedla, each of whom received the $50,000 prize.

"We've pwnd Adobe Reader XI with a heap overflow + PDF sandbox escape (without relying on a kernel flaw)," Vupen commented on its Twitter account. "We've pwnd IE11 on Win8.1 using a use-after-free combined to an object confusion in the broker to bypass IE sandbox."

It's interesting to note that Hewlett-Packard's Zero Day Initiative (ZDI) - the organizers of the event - changed some of the contest rules almost at the last minute, and the most important one is that everyone who succeeds to crack one of the targets will be rewarded, and not just the first team or individual who manages it. Of course, the vulnerabilities/exploits must be different.

"It was fascinating seeing the different ways that researchers are bypassing sandboxes and the ways they chained multiple vulnerabilities," ZDI manager of vulnerability research Brian Gorenc commented the day's results.

Before the contest started, Google's and ZDI's team participated in Pwn4Fun, a separate event that ended in the successful exploitation of a number of recently discovered vulnerabilities in Safari and IE. The prizes ($82,500 in total) were donated to the Canadian Red Cross.

Also on Wednesday, the first day of the Google-sponsored Pwnium contest ended with one researcher exploiting Chrome OS on an HP Chromebook 11, winning both the notebook and a prize of $150,000. The contest continues on Thursday.

Pwn2Own continues, and the scheduled "attacks" are against Safari, IE, Firefox, Flash and Chrome. Unfortunately, there are no scheduled contestants for the spectacularly announced Exploit Unicorn multi-product event.









Spotlight

Chrome extension thwarts user profiling based on typing behavior

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Wed, Jul 29th
    COPYRIGHT 1998-2015 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //