Vulnerabilities / Threats
3/8/2013
02:02 PM
Connect Directly
RSS
E-Mail
50%
50%

Pwn2Own Prizes Exceed $500K For Exploits

Only Google Chrome OS withstands attack in annual hacking contest as Flash, Java and every major browser are exploited.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)

This week's Pwn2Own contest at the CanSecWest 2013 conference in Vancouver wrapped Thursday after more than $500,000 in prize money was awarded for exploiting -- sometimes in multiple ways -- the latest versions of all major browsers, as well as Windows 8, Mac OS X, and Acrobat, Java and Flash browser plug-ins.

The annual competition was hosted by HP's DVLabs Zero Day Initiative (ZDI), which offered cash prizes for the first team to demonstrate a unique exploit of everything from IE 9 on Windows 7 ($75,000) and Apple Safari on OS X Mountain Lion ($65,000) to Mozilla Firefox on Windows 7 ($60,000) and Oracle Java ($20,000).

Thursday, Vupen Security exploited the latest version of Adobe Flash, which earned the company $70,000, and a grand total of $250,000 for the two-day contest. The same day, George Hotz (Geohot) exploited Adobe Reader XI, saying that "the first thing I did was break into the sandbox, the next thing I did was break out," according to ZDI.

[ For more on the annual Pwn2Own hacking contest, see Java, Browsers, Windows Security Defeated At Pwn2Own. ]

Their efforts followed successful exploits Wednesday of IE10, Chrome, Java and Firefox, which collectively amassed $320,000 in prize money.

Interestingly, no team came forward to exploit IE 9 on Windows 7 or Apple Safari on OS X Mountain Lion. But in the latter case, some security watchers said that was probably because the Safari prize money ($65,000) offered for such an exploit -- which would likely also work on iOS -- paled compared to the estimated $500,000 it could earn on the open vulnerability market.

In a separate contest at CanSecWest dubbed Pwnium, Google offered up to $3.14 million for anyone who could hack the Google Chrome OS. But in this third year of the contest, Google said that no one managed to exploit the OS. "We did not receive any winning entries but we are evaluating some work that may qualify as partial exploits," according to a statement released by Google.

As with Pwnium, the ZDI contest requires winners to divulge their exploits, including the bugs they used, before they receive any prize money. "As always, vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the proof of concept will become the property of HP in accordance with the HP ZDI program," read the contest rules. "If the affected vendors wish to coordinate an onsite transfer at the conference venue, HP ZDI is willing to accommodate that request."

Multiple developers of products exploited at Pwn2Own did so request, and less than 24 hours after Chrome and Firefox were exploited, Google and Mozilla had pushed browser updates that fixed the bugs that attackers had used.

"In all seriousness, impressed with the Chrome security guys," said MWR InfoSecurity researcher Jon Butler, who together with fellow employee Nils exploited Chrome. "Bug patched in front of us, lots of interesting discussions," he said.

But the ZDI contest has also drawn criticism for promoting the practice of developing and selling exploits. Notably, Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, took to Twitter to criticize Vupen's CEO and head researcher Chaouki Bekrar for selling exploits.

In response, Bekrar said his company sells exploits only to trusted countries and government agencies. He noted via Twitter "we dont sell exploits to repressive regimes."

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
3/22/2013 | 8:39:10 PM
re: Pwn2Own Prizes Exceed $500K For Exploits
This is not only a great way to recruit IT talent, but also a creative way for companies to find the vulnerabilities within their system. The $500,00 dollars in prizes I ma sure attracts even the most modest system testers. How safe do you feel knowing that vulnerabilities are sold to government agencies to use for whatever purpose it deems necessary? Congratulations to all the winners and the advancing knowledge in the area of vulnerabilities.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio