Security Advisor
Firefox, Safari and IE Brought Down in Annual Pwn2Own Hacking Contest
The HP-sponsored event proved that while today's software is more secure than ever, vulnerabilities will be found once money is on the line.
Last week's Pwn2Own hacking contest, sponsored by HP, proved once again that when there's cold, hard cash on the line, no software or application is safe. And in this year's contest, held during the CanSecWest security conference in Vancouver, many of the major Web browsers fell to the power of greed.
In just the first of the two contest days, hackers were awarded $400,000 for finding and properly demoing security vulnerabilities, with the biggest target being Mozilla's Firefox Web browser. In that single day of competition, three unique vulnerabilities were put on display -- each gaining the individual or group responsible $50,000.
Mozilla was quick to take advantage of the money spent by HP and fixed the found issues in the following days after the event. "We implemented all of the fixes over the weekend and will release them on Tuesday with Firefox 28," said Sid Stamm, Mozilla's senior engineering manager of security and privacy, to The Inquirer. "By Friday, we expect everyone will be offered the updates, though users can get them manually at any time after the release by checking for Firefox updates."
Apple's Safari browser and Microsoft's Internet Explorer also didn't leave that day unscathed, as they were part of a new even for this year called Pwn2Fun in which a security team from Google battled a team from HP to see who could find the most browser bypasses for charity. The team from Google took down Apple's browser with a root bypass and the HP team presented a multi-step sandbox bypass of IE. For both their efforts, $82,500 was raised for the Canadian Red Cross.
Just like last year's contest, the team from Vupen security firm took home the most in prize money with $300,000 in just the first day for disclosing unique exploits in Internet Explorer, Adobe Reader, Flash and Firefox, and another $100,000 in day two for finding a broad flaw in all Web browsers built on WebKit.
"The first motivation for coming to Pwn2Own is the challenge to show that even the most secure browsers and products can still be compromised," said Chaouki Bekrar, researcher at Vupen.
While Vupen made finding vulnerabilities easy, Bekrar told Kaspersky Labs that finding Web browser holes are more difficult today than ever to find due to the increased importance on companies releasing more-secure software. "It's definitely getting harder to exploit browsers, especially on Windows 8.1," Bekrar said. "Exploitation is harder and finding zero-days in browsers is harder."