Vulnerabilities / Threats
06:22 PM
Connect Directly

Pwn2Own Hackers Bring Popular Browsers To Their Knees

Internet Explorer, Google Chrome, and Mozilla Firefox were all among the casualties at this year's Pwn2Own competition at CanSecWest

The results from the annual Pwn2Own hacking contest are in, and the score is as follows: hackers one, software zero.

During the past two days, security researchers pwned Microsoft Internet Explorer 10, Google Chrome, and Mozilla Firefox at the competition, which was held at this week's CanSecWest Applied Security conference in Vancouver. Besides the browsers, this year's researchers also successfully compromised Oracle Java, Adobe Flash Player, and Adobe Reader. The only browser that was part of the competition that was not compromised was Apple Safari running on Mac OS X Mountain Lion.

Collectively, the researchers' winnings totaled $480,000 in cash prizes, in addition to the hardware they compromised and ZDI awards points.

"To remind you: in the world of PWN2OWN, 'successful attack' means that merely by browsing to untrusted web content, you're able to inject and run arbitrary executable code outside the browser," blogs Paul Ducklin of Sophos. "In the real world, that means you could pull off a drive-by install, where you bypass all intended protections, preventions and pop-up warnings from the browser."

VUPEN Security, a vulnerability research firm based in France, announced Wednesday its researchers were able to compromise a Microsoft Surface Pro running Windows 8 by exploiting two IE zero-days. Not long after, VUPEN Security pwned Firefox with a use-after-free vulnerability, as well as a "brand new technique" to bypass address space layout randomization and data execution prevention on Windows 7 without the need for return-oriented programming.

Researchers from VUPEN also compromised Adobe Flash Player and joined independent researcher Ben Murphy, Joshua Drake of Accuvant, and James Forshaw of Context Information Security in exploiting Java. Security researcher George Hotz successfully compromised Adobe Reader, while MWR Labs researchers Nils -- who goes only by his first name -- and Jon Butler were responsible for cracking Google's Chrome browser.

"We showed an exploit against previously undiscovered vulnerabilities in Google Chrome running on a modern Windows-based laptop," according to a blog post by MWR Labs. "By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges."

The duo was able to do this despite the Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protections in Windows 7.

Traditionally focused on browser vulnerabilities, participants this year were also able to target browser plug-in issues, as well, due to the growing popularity of the bugs in exploit kits. All successful vulnerabilities and exploits used by preregistered contestants are being purchased by the HP Zero Day Initiative [ZDI].

"The relationship between discovered vulnerabilities and browser security is a real problem that’s not going to improve anytime soon," says Tim Erlin, director of IT security and risk strategy for nCircle. "It's often the case that code added to address one type of vulnerability adds further complexity that can then be exploited in new ways. As the code base for browsers get larger, it provides more opportunities and code paths for attack."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
3/9/2013 | 2:06:34 AM
re: Pwn2Own Hackers Bring Popular Browsers To Their Knees
Mozilla and Google were quick on the draw to issue updates to their browsers in the wake of the contest...Wondering if this is the fastest turnaround yet of patches post-PWN2OWN.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.