Vulnerabilities / Threats
3/8/2013
02:02 PM
Connect Directly
RSS
E-Mail
50%
50%

Pwn2Own Prizes Exceed $500K For Exploits

Only Google Chrome OS withstands attack in annual hacking contest as Flash, Java and every major browser are exploited.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)

This week's Pwn2Own contest at the CanSecWest 2013 conference in Vancouver wrapped Thursday after more than $500,000 in prize money was awarded for exploiting -- sometimes in multiple ways -- the latest versions of all major browsers, as well as Windows 8, Mac OS X, and Acrobat, Java and Flash browser plug-ins.

The annual competition was hosted by HP's DVLabs Zero Day Initiative (ZDI), which offered cash prizes for the first team to demonstrate a unique exploit of everything from IE 9 on Windows 7 ($75,000) and Apple Safari on OS X Mountain Lion ($65,000) to Mozilla Firefox on Windows 7 ($60,000) and Oracle Java ($20,000).

Thursday, Vupen Security exploited the latest version of Adobe Flash, which earned the company $70,000, and a grand total of $250,000 for the two-day contest. The same day, George Hotz (Geohot) exploited Adobe Reader XI, saying that "the first thing I did was break into the sandbox, the next thing I did was break out," according to ZDI.

[ For more on the annual Pwn2Own hacking contest, see Java, Browsers, Windows Security Defeated At Pwn2Own. ]

Their efforts followed successful exploits Wednesday of IE10, Chrome, Java and Firefox, which collectively amassed $320,000 in prize money.

Interestingly, no team came forward to exploit IE 9 on Windows 7 or Apple Safari on OS X Mountain Lion. But in the latter case, some security watchers said that was probably because the Safari prize money ($65,000) offered for such an exploit -- which would likely also work on iOS -- paled compared to the estimated $500,000 it could earn on the open vulnerability market.

In a separate contest at CanSecWest dubbed Pwnium, Google offered up to $3.14 million for anyone who could hack the Google Chrome OS. But in this third year of the contest, Google said that no one managed to exploit the OS. "We did not receive any winning entries but we are evaluating some work that may qualify as partial exploits," according to a statement released by Google.

As with Pwnium, the ZDI contest requires winners to divulge their exploits, including the bugs they used, before they receive any prize money. "As always, vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the proof of concept will become the property of HP in accordance with the HP ZDI program," read the contest rules. "If the affected vendors wish to coordinate an onsite transfer at the conference venue, HP ZDI is willing to accommodate that request."

Multiple developers of products exploited at Pwn2Own did so request, and less than 24 hours after Chrome and Firefox were exploited, Google and Mozilla had pushed browser updates that fixed the bugs that attackers had used.

"In all seriousness, impressed with the Chrome security guys," said MWR InfoSecurity researcher Jon Butler, who together with fellow employee Nils exploited Chrome. "Bug patched in front of us, lots of interesting discussions," he said.

But the ZDI contest has also drawn criticism for promoting the practice of developing and selling exploits. Notably, Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, took to Twitter to criticize Vupen's CEO and head researcher Chaouki Bekrar for selling exploits.

In response, Bekrar said his company sells exploits only to trusted countries and government agencies. He noted via Twitter "we dont sell exploits to repressive regimes."

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
3/22/2013 | 8:39:10 PM
re: Pwn2Own Prizes Exceed $500K For Exploits
This is not only a great way to recruit IT talent, but also a creative way for companies to find the vulnerabilities within their system. The $500,00 dollars in prizes I ma sure attracts even the most modest system testers. How safe do you feel knowing that vulnerabilities are sold to government agencies to use for whatever purpose it deems necessary? Congratulations to all the winners and the advancing knowledge in the area of vulnerabilities.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.