Malware, Network Security, Vulnerability Management

Down go Chrome, Firefox, IE 10, Java, Win 8 at Pwn2Own hacker fest

Web browsers Google Chrome, Internet Explorer and Firefox, along with Windows 8 and Java, have been exploited in the Pwn2Own hacking contest in Canada.

Each attack at the CanSecWest conference in Vancouver, British Columbia used zero-day vulnerabilities on a fully patched Windows 7, 8 and OS X Mountain Lion operating system with default configurations. Pwn2Own is run by HP's DVLabs Zero Day Initiative.

Firefox was popped with a use-after-free vulnerability and a new technique that bypasses Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) exploit-prevention functionality in Windows, French vulnerability firm and exploit seller Vupen said.

Windows 8 also fell to Vupen researchers, who cracked Microsoft's Surface Pro tablet using two Internet Explorer zero-day vulnerabilities and a sandbox bypass.  

Java, meanwhile, fell to Accuvant Labs' Josh Drake, Contextis' James Forshaw and Vupen, which broke the platform by finding a heap overflow. 

MWRLabs researchers "Nils" and Jon Butler chalked up a reliable sandbox bypass exploit against zero-day vulnerabilities in Chrome. The attack was made by pointing the browser running on an updated Windows operating system to a malicious web page, which granted code execution in the "sandbox rendering" process.

The pair also found a kernel vulnerability that permitted arbitrary commands execution outside of the sandbox with system privileges.

More than half a million dollars was up for grabs in the Pwn2Own. Researchers could earn $100,000 for popping Chrome on Windows 7; the same for hacking Internet Explorer 10 on Win 8; $75,000 for ripping up IE9 on Win 7; $60,000 for owning Firefox on Win 7; and $65,000 for exploiting Apple Safari on OS X Mountain Lion.

Owning IE9 plug-ins on Win 7 attracted $70,000 for Adobe Reader XI, $70,000 for Adobe Flash and $20,000 for Java.

Google will offer a whopping $3.14 million at its sister Pwnium contest, which runs alongside Pwn2Own. The attacks will occur on a WiFi Samsung Series 5 550 Chromebook running an updated stable version of Chrome OS.

The cash pool will be divided into $110,000 for a browser or system level compromise in guest mode or as a logged-in user, delivered via a web page; and $150,000 for a compromise with device persistence – guest to guest with interim reboot, delivered via a web page.

Google shored up Chrome's defenses in the lead up to the hacking contest, with 10 patches that addressed six high-severity flaws. 

A major reason that Google launched its own contest, which premiered at last year's CanSecWest, and dropped support for Pwn2Own was so that it could guarantee it would receive details surrounding the exploits. The Pwn2Own contest doesn't require researchers submit "sandbox escape" information to affected vendors.

This story originally appeared on SCMagazine.com.au.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.