Pwn2Own hacking contest reveals bugs in browsers, duh
The annual Pwn2Own fest has given software developers a decent headache, thanks to newfangled bugs discovered in Adobe Flash and Reader, Microsoft’s Windows and IE, and Mozilla’s Firefox.
This year’s annual Pwn2Own hacking event at CanSecWest has unveiled some nasty surprises for a bunch of browsers, with a select group of hackers walking away with a decent sum of cash for their trouble.
The competition is run by HP’s Zero Day Initiative (ZDI) and Google’s Project Zero, who were recently making headlines for their exploitation of the DRAM ‘rowhammer’ bug to gain Linux kernel privileges. The event brings together security researchers up against some popular apps in a time-limited hacking contest.
Microsoft needs to up their game
Microsoft was notably the event’s biggest loser, with researcher Mariusz Mlynski able to expose a cross-origin vulnerability in Firefox to attack a logical flaw in Windows for privilege escalation and remote code execution on day one of the proceedings. To further ruffle Microsoft’s feathers, he was able to do it in just 0.512 seconds – holy crap.
If that didn’t get Microsoft’s attention, Internet Explorer fared the worst in terms of bugs found at the event. Keeping true to the contest’s rules of exploitation, researchers were able to break through IE’s security systems and make it run code that it wasn’t supposed to a total of four times. All four bugs were showcased on a fully-patched Windows 8.1 operating system.
Windows was once again brought to its knees by the Tencent PCMgr and KeenTeam hacking collectives, who were able to take control of the heap in Adobe Reader with an integer overflow, which subsequently allowed them to gain SYSTEM-level code execution in Windows via a bug in the kernel’s TrueType fonts.
Adobe Flash was also an early victim, with researcher Nicolas Joly combining a use-after-free (UAF) remote-code execution vulnerability and sandbox escape directory traversal vulnerability to execute arbitrary code. He additionally harvested information from Reader, running arbitrary code remotely.
Mac got owned, too
PCs weren’t the only pieces of hardware getting spanked during the contest – Macs got their own serving of bug-love, too. South Korean security researcher Jung Hoon Lee was the biggest prize-winner of the event, taking home a whopping US $225,000 on day two after an epic amount of hacking in IE, Chrome and Safari.
Lee neutered Apple’s Safari with a UAF vulnerability involving an uninitialized stack pointer, and bypassed the sandbox to perform remote code execution on an OS X Mac.
The competition’s main sponsors calculated the following numbers for the Pwn2Own 2015 event:
- 5 bugs in the Windows OS
- 4 bugs in Internet Explorer 11
- 3 bugs in Mozilla Firefox
- 3 bugs in Adobe Reader
- 3 bugs in Adobe Flash
- 2 bugs in Apple Safari
- 1 bug in Google Chrome
- $557,500 USD bounty paid out to researchers
All vulnerabilities discovered during the hacking fest were disclosed to their respective vendors in the so-called “Chamber of Disclosures,” allowing each vendor to work on fixing the bugs through their own processes and patching, before information is shared publicly.