Skip Links

Researchers rake in $280K at Pwn2Own hacking contest

Teams hack IE10, Chrome 25, Firefox 19, and Java 7 as eighth Pwn2Own gets off to an impressive start

By Gregg Keizer, Computerworld
March 07, 2013 07:05 AM ET

Computerworld - Research teams Wednesday cracked Microsoft's Internet Explorer 10 (IE10), Google's Chrome and Mozilla's Firefox at the Pwn2Own hacking contest, pulling in more than $250,000 in prizes.

Earlier in the day, a solo hacker exploited Oracle's Java to win $20,000.

Vupen, a French vulnerability research and bug-selling firm that took first place at Pwn2Own last year, brought down IE10 running on a Windows 8 powered Surface Pro tablet by exploiting a pair of flaws.

"We've pwned [Microsoft's] Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass," Vupen announced on Twitter Wednesday afternoon.

HP TippingPoint, whose Zero Day Initiative (ZDI) bug bounty program is co-sponsoring Pwn2Own this year -- Google has also pumped money into the contest -- confirmed the Vupen hack in a tweet of its own.

According to Pwn2Own's rules, which were dramatically revised from 2012's challenge, the first researcher or team of researchers to hack IE10 on Windows 8 wins a $100,000 cash prize, plus the machine hosting the browser target.

Toward the end of the day, Vupen followed up with an exploit of Firefox 19 on Windows 7, collecting another $60,000.

Pwn2Own started Wednesday at the CanSecWest security conference in Vancouver, British Columbia, and will run through Friday.

Also on Wednesday, a two-man team from MWR Labs, an arm of UK-based MWR InfoSecurity, hacked Chrome 25 on Windows 7 by exploiting multiple "zero-day," or unpatched, vulnerabilities in the browser and operating system.

Like the Vupen hack of IE10, MWR Labs' exploit of Chrome resulted in a complete bypass of Windows anti-exploit "sandbox" technology. The MWR Labs researchers who found the bugs, built the exploits, and demonstrated their skills at Pwn2Own were Nils -- a young German who is known only by his first name -- and Jon Butler. Nils has a Pwn2Own history: He won $10,000 by hacking Mozilla's Firefox in 2010, and $15,000 the year before for exploiting Firefox, IE8 and Apple's Safari.

Nils and Butler described their Chrome hack in a brief blog post Wednesday, outlining how they defeated Windows' security defenses, including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

For their work, Nils and Butler received $100,000.

At the opening of the contest, a pair of solo researchers -- James Forshaw, a principal consultant at Context Information Security in the U.K., and Joshua Drake of Accuvant -- exploited Oracle's Java. Forshaw, who took his jabs first, won $20,000, Pwn2Own's lowest-priced prize. Vupen also successfully hacked Java 7 with a vulnerability and exploit of its own.

In a departure from the original rules, ZDI said that it would purchase all successful vulnerabilities and their associated exploits from researchers, even those that were not awarded prizes. It did not say how much hackers would earn by selling such secondary flaws: ZDI and other bug bounty programs typically are tight-lipped about what they pay.

Several prizes went unclaimed Wednesday, including the two $70,000 awards for Adobe's Flash Player and Adobe Reader on Windows 7, and the $65,000 check for Safari on OS X Mountain Lion. Flash and Reader are slated to be attacked today.

Originally published on Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News