Vulnerabilities / Threats
3/8/2013
02:02 PM
50%
50%

Pwn2Own Prizes Exceed $500K For Exploits

Only Google Chrome OS withstands attack in annual hacking contest as Flash, Java and every major browser are exploited.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)

This week's Pwn2Own contest at the CanSecWest 2013 conference in Vancouver wrapped Thursday after more than $500,000 in prize money was awarded for exploiting -- sometimes in multiple ways -- the latest versions of all major browsers, as well as Windows 8, Mac OS X, and Acrobat, Java and Flash browser plug-ins.

The annual competition was hosted by HP's DVLabs Zero Day Initiative (ZDI), which offered cash prizes for the first team to demonstrate a unique exploit of everything from IE 9 on Windows 7 ($75,000) and Apple Safari on OS X Mountain Lion ($65,000) to Mozilla Firefox on Windows 7 ($60,000) and Oracle Java ($20,000).

Thursday, Vupen Security exploited the latest version of Adobe Flash, which earned the company $70,000, and a grand total of $250,000 for the two-day contest. The same day, George Hotz (Geohot) exploited Adobe Reader XI, saying that "the first thing I did was break into the sandbox, the next thing I did was break out," according to ZDI.

[ For more on the annual Pwn2Own hacking contest, see Java, Browsers, Windows Security Defeated At Pwn2Own. ]

Their efforts followed successful exploits Wednesday of IE10, Chrome, Java and Firefox, which collectively amassed $320,000 in prize money.

Interestingly, no team came forward to exploit IE 9 on Windows 7 or Apple Safari on OS X Mountain Lion. But in the latter case, some security watchers said that was probably because the Safari prize money ($65,000) offered for such an exploit -- which would likely also work on iOS -- paled compared to the estimated $500,000 it could earn on the open vulnerability market.

In a separate contest at CanSecWest dubbed Pwnium, Google offered up to $3.14 million for anyone who could hack the Google Chrome OS. But in this third year of the contest, Google said that no one managed to exploit the OS. "We did not receive any winning entries but we are evaluating some work that may qualify as partial exploits," according to a statement released by Google.

As with Pwnium, the ZDI contest requires winners to divulge their exploits, including the bugs they used, before they receive any prize money. "As always, vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the proof of concept will become the property of HP in accordance with the HP ZDI program," read the contest rules. "If the affected vendors wish to coordinate an onsite transfer at the conference venue, HP ZDI is willing to accommodate that request."

Multiple developers of products exploited at Pwn2Own did so request, and less than 24 hours after Chrome and Firefox were exploited, Google and Mozilla had pushed browser updates that fixed the bugs that attackers had used.

"In all seriousness, impressed with the Chrome security guys," said MWR InfoSecurity researcher Jon Butler, who together with fellow employee Nils exploited Chrome. "Bug patched in front of us, lots of interesting discussions," he said.

But the ZDI contest has also drawn criticism for promoting the practice of developing and selling exploits. Notably, Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, took to Twitter to criticize Vupen's CEO and head researcher Chaouki Bekrar for selling exploits.

In response, Bekrar said his company sells exploits only to trusted countries and government agencies. He noted via Twitter "we dont sell exploits to repressive regimes."

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
3/22/2013 | 8:39:10 PM
re: Pwn2Own Prizes Exceed $500K For Exploits
This is not only a great way to recruit IT talent, but also a creative way for companies to find the vulnerabilities within their system. The $500,00 dollars in prizes I ma sure attracts even the most modest system testers. How safe do you feel knowing that vulnerabilities are sold to government agencies to use for whatever purpose it deems necessary? Congratulations to all the winners and the advancing knowledge in the area of vulnerabilities.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-2214
Published: 2015-03-05
NetCat 5.01 and earlier allows remote attackers to obtain the installation path via the redirect_url parameter to netshop/post.php.

CVE-2015-2215
Published: 2015-03-05
Open redirect vulnerability in the Services single sign-on server helper (services_sso_server_helper) module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters.

CVE-2015-2216
Published: 2015-03-05
SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter.

CVE-2015-2218
Published: 2015-03-05
Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) item[name] or (2) item[customcss] parameter in a w...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.