Top browsers exploited in first day of Pwn2Own

Share this article:
Top browsers exploited in first day of Pwn2Own
A total of $400,000 was given to Team Vupen and other researchers for their exploits.

Three of the most popular web browsers were exploited by participants on Wednesday, during the first day of the Pwn2Own hacking contest.

In addition to Firefox, Internet Explorer 11 (IE11), and Safari, participants were able to crack Adobe's Flash and Reader products, according to a blog post by Angela Gunn, senior security content developer for HP Security Research.

Researchers earned a total of $400,000, a first day record, for their exploits. Experts from Vupen, a French security firm that sells software vulnerability information to governments and businesses, earned a majority of that share - $300,000 – for their work.

Team Vupen successfully exploited Adobe Flash, Reader, IE11, and Firefox. The Flash, Reader and Firefox hacks resulted in code execution, and the IE11 exploit allowed for a sandbox bypass.

Security researchers Jüri Aedla and Mariusz Mlynski successfully cracked Firefox. While Aedla's exploit results in code execution, Mlynski's could be leveraged to bypass browser security measures, according to the post. Each researcher earned $50,000 for their work.

In the contest's “sponsors-only” event, Pwn4Fun, Google performed a “very impressive” exploit on the Apple Safari browser running on Mac OS X, while the Zero Day Initiative successfully attempted a “multi-stage exploit” that includes a sandbox bypass on IE 11. The $82,500 won by the sponsors was given to the Canadian Red Cross, the charity of their choice.

Expect for fixes addressing the issues on each of the products to be released soon.

“All of the vulnerabilities were disclosed to their respective vendors in the Chamber of Disclosures, and each will be working to address those issues through their own processes,” Gunn wrote.

The final day of the contest begins on Thursday at 10 a.m. PDT.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.