Vulnerabilities / Threats
3/8/2013
02:02 PM
50%
50%

Pwn2Own Prizes Exceed $500K For Exploits

Only Google Chrome OS withstands attack in annual hacking contest as Flash, Java and every major browser are exploited.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)

This week's Pwn2Own contest at the CanSecWest 2013 conference in Vancouver wrapped Thursday after more than $500,000 in prize money was awarded for exploiting -- sometimes in multiple ways -- the latest versions of all major browsers, as well as Windows 8, Mac OS X, and Acrobat, Java and Flash browser plug-ins.

The annual competition was hosted by HP's DVLabs Zero Day Initiative (ZDI), which offered cash prizes for the first team to demonstrate a unique exploit of everything from IE 9 on Windows 7 ($75,000) and Apple Safari on OS X Mountain Lion ($65,000) to Mozilla Firefox on Windows 7 ($60,000) and Oracle Java ($20,000).

Thursday, Vupen Security exploited the latest version of Adobe Flash, which earned the company $70,000, and a grand total of $250,000 for the two-day contest. The same day, George Hotz (Geohot) exploited Adobe Reader XI, saying that "the first thing I did was break into the sandbox, the next thing I did was break out," according to ZDI.

[ For more on the annual Pwn2Own hacking contest, see Java, Browsers, Windows Security Defeated At Pwn2Own. ]

Their efforts followed successful exploits Wednesday of IE10, Chrome, Java and Firefox, which collectively amassed $320,000 in prize money.

Interestingly, no team came forward to exploit IE 9 on Windows 7 or Apple Safari on OS X Mountain Lion. But in the latter case, some security watchers said that was probably because the Safari prize money ($65,000) offered for such an exploit -- which would likely also work on iOS -- paled compared to the estimated $500,000 it could earn on the open vulnerability market.

In a separate contest at CanSecWest dubbed Pwnium, Google offered up to $3.14 million for anyone who could hack the Google Chrome OS. But in this third year of the contest, Google said that no one managed to exploit the OS. "We did not receive any winning entries but we are evaluating some work that may qualify as partial exploits," according to a statement released by Google.

As with Pwnium, the ZDI contest requires winners to divulge their exploits, including the bugs they used, before they receive any prize money. "As always, vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the proof of concept will become the property of HP in accordance with the HP ZDI program," read the contest rules. "If the affected vendors wish to coordinate an onsite transfer at the conference venue, HP ZDI is willing to accommodate that request."

Multiple developers of products exploited at Pwn2Own did so request, and less than 24 hours after Chrome and Firefox were exploited, Google and Mozilla had pushed browser updates that fixed the bugs that attackers had used.

"In all seriousness, impressed with the Chrome security guys," said MWR InfoSecurity researcher Jon Butler, who together with fellow employee Nils exploited Chrome. "Bug patched in front of us, lots of interesting discussions," he said.

But the ZDI contest has also drawn criticism for promoting the practice of developing and selling exploits. Notably, Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, took to Twitter to criticize Vupen's CEO and head researcher Chaouki Bekrar for selling exploits.

In response, Bekrar said his company sells exploits only to trusted countries and government agencies. He noted via Twitter "we dont sell exploits to repressive regimes."

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
3/22/2013 | 8:39:10 PM
re: Pwn2Own Prizes Exceed $500K For Exploits
This is not only a great way to recruit IT talent, but also a creative way for companies to find the vulnerabilities within their system. The $500,00 dollars in prizes I ma sure attracts even the most modest system testers. How safe do you feel knowing that vulnerabilities are sold to government agencies to use for whatever purpose it deems necessary? Congratulations to all the winners and the advancing knowledge in the area of vulnerabilities.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.