During the past two days, security researchers pwned Microsoft Internet Explorer 10, Google Chrome, and Mozilla Firefox at the competition, which was held at this week's CanSecWest Applied Security conference in Vancouver. Besides the browsers, this year's researchers also successfully compromised Oracle Java, Adobe Flash Player, and Adobe Reader. The only browser that was part of the competition that was not compromised was Apple Safari running on Mac OS X Mountain Lion.
Collectively, the researchers' winnings totaled $480,000 in cash prizes, in addition to the hardware they compromised and ZDI awards points.
"To remind you: in the world of PWN2OWN, 'successful attack' means that merely by browsing to untrusted web content, you're able to inject and run arbitrary executable code outside the browser," blogs Paul Ducklin of Sophos. "In the real world, that means you could pull off a drive-by install, where you bypass all intended protections, preventions and pop-up warnings from the browser."
VUPEN Security, a vulnerability research firm based in France, announced Wednesday its researchers were able to compromise a Microsoft Surface Pro running Windows 8 by exploiting two IE zero-days. Not long after, VUPEN Security pwned Firefox with a use-after-free vulnerability, as well as a "brand new technique" to bypass address space layout randomization and data execution prevention on Windows 7 without the need for return-oriented programming.
Researchers from VUPEN also compromised Adobe Flash Player and joined independent researcher Ben Murphy, Joshua Drake of Accuvant, and James Forshaw of Context Information Security in exploiting Java. Security researcher George Hotz successfully compromised Adobe Reader, while MWR Labs researchers Nils -- who goes only by his first name -- and Jon Butler were responsible for cracking Google's Chrome browser.
"We showed an exploit against previously undiscovered vulnerabilities in Google Chrome running on a modern Windows-based laptop," according to a blog post by MWR Labs. "By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges."
The duo was able to do this despite the Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protections in Windows 7.
Traditionally focused on browser vulnerabilities, participants this year were also able to target browser plug-in issues, as well, due to the growing popularity of the bugs in exploit kits. All successful vulnerabilities and exploits used by preregistered contestants are being purchased by the HP Zero Day Initiative [ZDI].
"The relationship between discovered vulnerabilities and browser security is a real problem that’s not going to improve anytime soon," says Tim Erlin, director of IT security and risk strategy for nCircle. "It's often the case that code added to address one type of vulnerability adds further complexity that can then be exploited in new ways. As the code base for browsers get larger, it provides more opportunities and code paths for attack."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.