This week's Pwn2Own contest at the CanSecWest 2013 conference in Vancouver wrapped Thursday after more than $500,000 in prize money was awarded for exploiting -- sometimes in multiple ways -- the latest versions of all major browsers, as well as Windows 8, Mac OS X, and Acrobat, Java and Flash browser plug-ins.
The annual competition was hosted by HP's DVLabs Zero Day Initiative (ZDI), which offered cash prizes for the first team to demonstrate a unique exploit of everything from IE 9 on Windows 7 ($75,000) and Apple Safari on OS X Mountain Lion ($65,000) to Mozilla Firefox on Windows 7 ($60,000) and Oracle Java ($20,000).
Thursday, Vupen Security exploited the latest version of Adobe Flash, which earned the company $70,000, and a grand total of $250,000 for the two-day contest. The same day, George Hotz (Geohot) exploited Adobe Reader XI, saying that "the first thing I did was break into the sandbox, the next thing I did was break out," according to ZDI.
[ For more on the annual Pwn2Own hacking contest, see Java, Browsers, Windows Security Defeated At Pwn2Own. ]
Their efforts followed successful exploits Wednesday of IE10, Chrome, Java and Firefox, which collectively amassed $320,000 in prize money.
Interestingly, no team came forward to exploit IE 9 on Windows 7 or Apple Safari on OS X Mountain Lion. But in the latter case, some security watchers said that was probably because the Safari prize money ($65,000) offered for such an exploit -- which would likely also work on iOS -- paled compared to the estimated $500,000 it could earn on the open vulnerability market.
In a separate contest at CanSecWest dubbed Pwnium, Google offered up to $3.14 million for anyone who could hack the Google Chrome OS. But in this third year of the contest, Google said that no one managed to exploit the OS. "We did not receive any winning entries but we are evaluating some work that may qualify as partial exploits," according to a statement released by Google.
As with Pwnium, the ZDI contest requires winners to divulge their exploits, including the bugs they used, before they receive any prize money. "As always, vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the proof of concept will become the property of HP in accordance with the HP ZDI program," read the contest rules. "If the affected vendors wish to coordinate an onsite transfer at the conference venue, HP ZDI is willing to accommodate that request."
Multiple developers of products exploited at Pwn2Own did so request, and less than 24 hours after Chrome and Firefox were exploited, Google and Mozilla had pushed browser updates that fixed the bugs that attackers had used.
"In all seriousness, impressed with the Chrome security guys," said MWR InfoSecurity researcher Jon Butler, who together with fellow employee Nils exploited Chrome. "Bug patched in front of us, lots of interesting discussions," he said.
But the ZDI contest has also drawn criticism for promoting the practice of developing and selling exploits. Notably, Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, took to Twitter to criticize Vupen's CEO and head researcher Chaouki Bekrar for selling exploits.
In response, Bekrar said his company sells exploits only to trusted countries and government agencies. He noted via Twitter "we dont sell exploits to repressive regimes."
Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!