Top browsers exploited in first day of Pwn2Own

Share this article:
Top browsers exploited in first day of Pwn2Own
A total of $400,000 was given to Team Vupen and other researchers for their exploits.

Three of the most popular web browsers were exploited by participants on Wednesday, during the first day of the Pwn2Own hacking contest.

In addition to Firefox, Internet Explorer 11 (IE11), and Safari, participants were able to crack Adobe's Flash and Reader products, according to a blog post by Angela Gunn, senior security content developer for HP Security Research.

Researchers earned a total of $400,000, a first day record, for their exploits. Experts from Vupen, a French security firm that sells software vulnerability information to governments and businesses, earned a majority of that share - $300,000 – for their work.

Team Vupen successfully exploited Adobe Flash, Reader, IE11, and Firefox. The Flash, Reader and Firefox hacks resulted in code execution, and the IE11 exploit allowed for a sandbox bypass.

Security researchers Jüri Aedla and Mariusz Mlynski successfully cracked Firefox. While Aedla's exploit results in code execution, Mlynski's could be leveraged to bypass browser security measures, according to the post. Each researcher earned $50,000 for their work.

In the contest's “sponsors-only” event, Pwn4Fun, Google performed a “very impressive” exploit on the Apple Safari browser running on Mac OS X, while the Zero Day Initiative successfully attempted a “multi-stage exploit” that includes a sandbox bypass on IE 11. The $82,500 won by the sponsors was given to the Canadian Red Cross, the charity of their choice.

Expect for fixes addressing the issues on each of the products to be released soon.

“All of the vulnerabilities were disclosed to their respective vendors in the Chamber of Disclosures, and each will be working to address those issues through their own processes,” Gunn wrote.

The final day of the contest begins on Thursday at 10 a.m. PDT.

Share this article:

Sign up to our newsletters

More in News

Latest Citadel trick allows RDP access after malware's removal

Latest Citadel trick allows RDP access after malware's ...

Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Cryptoblocker variant emerges, encryption differs from CryptoLocker

Trend Micro has detected a variant of CryptoLocker in the wild that relies on the advanced encryption standard.

Jimmy John's sandwich chain investigating possible breach

Some financial institutions have indicated that credit cards recently used at Jimmy John's locations have been used to make fraudulent purchases.