Top browsers exploited in first day of Pwn2Own

Share this article:
Top browsers exploited in first day of Pwn2Own
A total of $400,000 was given to Team Vupen and other researchers for their exploits.

Three of the most popular web browsers were exploited by participants on Wednesday, during the first day of the Pwn2Own hacking contest.

In addition to Firefox, Internet Explorer 11 (IE11), and Safari, participants were able to crack Adobe's Flash and Reader products, according to a blog post by Angela Gunn, senior security content developer for HP Security Research.

Researchers earned a total of $400,000, a first day record, for their exploits. Experts from Vupen, a French security firm that sells software vulnerability information to governments and businesses, earned a majority of that share - $300,000 – for their work.

Team Vupen successfully exploited Adobe Flash, Reader, IE11, and Firefox. The Flash, Reader and Firefox hacks resulted in code execution, and the IE11 exploit allowed for a sandbox bypass.

Security researchers Jüri Aedla and Mariusz Mlynski successfully cracked Firefox. While Aedla's exploit results in code execution, Mlynski's could be leveraged to bypass browser security measures, according to the post. Each researcher earned $50,000 for their work.

In the contest's “sponsors-only” event, Pwn4Fun, Google performed a “very impressive” exploit on the Apple Safari browser running on Mac OS X, while the Zero Day Initiative successfully attempted a “multi-stage exploit” that includes a sandbox bypass on IE 11. The $82,500 won by the sponsors was given to the Canadian Red Cross, the charity of their choice.

Expect for fixes addressing the issues on each of the products to be released soon.

“All of the vulnerabilities were disclosed to their respective vendors in the Chamber of Disclosures, and each will be working to address those issues through their own processes,” Gunn wrote.

The final day of the contest begins on Thursday at 10 a.m. PDT.

Share this article:

Sign up to our newsletters

More in News

Cyber Command tests gov't collaboration in wake of attacks

The two-week exercise, "Cyber Guard 14-1," was completed this month.

Text message spammer settles charges filed by FTC

Text message spammer settles charges filed by FTC

Rishab Verma and his company agreed to settle charges filed by the FTC that Verma sent millions of spam text messages that deceitfully promised free merchandise.

Rhode Island hospital to pay $150K for past data breach

More than 12,000 patients' personal and health information was compromised in a breach at The Women & Infants Hospital of Rhode Island.