Security Advisor

IE 10 Running on Surface Hacked in 10 Minutes

The Pwn2Own contest has already taken down Microsoft's latest Internet browser.

Pwn2Own 2013, the event where security pros get paid for breaking software, was held last week during the annual CanSecWest security contest, and the major browser players all took their punishment.

The highlight was the newcomer's fall, Internet Explorer 10, which was defeated at the hands of VUPEN Security on day one of competition

What made the feat impressive was it was done on a Surface Pro tablet running Windows 8 -- another newcomer to this year's event. The French firm was able to recreate the exploit in both the Desktop and the Windows App Store (Metro) versions of the browser within the first 10 minutes of the competition's start.

"The exploit fully bypassed all Windows 8 security protections and exploit mitigation technologies including HiASLR, DEP, AntiROP and Protected Mode sandbox," wrote VUPEN.

For that quick bit of hacking, the firm was awarded $100,000 from HP's Tipping Point, the security and risk management branch of the hardware manufacturer.

But that wasn't it for VUPEN. Later in the date it successfully exploited a hole in the latest version of Firefox running on Windows 7 and found a new hole in Java (which doesn't seem too difficult to do). For those additional hacks, the company was awarded an additional $60,000.

Another notable (and profitable) hack came the next day when a two-man team pulled off a full sandbox bypass against Google Chrome on Windows 7. Here's how the team from MWR Labs did it: "By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process," wrote MWR Labs in a blog post. "We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges."

For that bit of cyber wizardry, the team was awarded $100,000.

For all successful exploits, whether prize winners or not, HP said it bought them all and over half a million bucks was awarded over the three-day hacking competition.

About the Author

Chris Paoli is the site producer for and


  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

  • New Microsoft Customer Agreement for Buying Azure Services To Start in March

    Microsoft will have a new approach for organizations buying Azure services called the "Microsoft Customer Agreement," which will be available for some customers starting as early as this March.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.