Vulnerability Management

Top browsers exploited in first day of Pwn2Own

Three of the most popular web browsers were exploited by participants on Wednesday, during the first day of the Pwn2Own hacking contest.

In addition to Firefox, Internet Explorer 11 (IE11), and Safari, participants were able to crack Adobe's Flash and Reader products, according to a blog post by Angela Gunn, senior security content developer for HP Security Research.

Researchers earned a total of $400,000, a first day record, for their exploits. Experts from Vupen, a French security firm that sells software vulnerability information to governments and businesses, earned a majority of that share - $300,000 – for their work.

Team Vupen successfully exploited Adobe Flash, Reader, IE11, and Firefox. The Flash, Reader and Firefox hacks resulted in code execution, and the IE11 exploit allowed for a sandbox bypass.

Security researchers Jüri Aedla and Mariusz Mlynski successfully cracked Firefox. While Aedla's exploit results in code execution, Mlynski's could be leveraged to bypass browser security measures, according to the post. Each researcher earned $50,000 for their work.

In the contest's “sponsors-only” event, Pwn4Fun, Google performed a “very impressive” exploit on the Apple Safari browser running on Mac OS X, while the Zero Day Initiative successfully attempted a “multi-stage exploit” that includes a sandbox bypass on IE 11. The $82,500 won by the sponsors was given to the Canadian Red Cross, the charity of their choice.

Expect for fixes addressing the issues on each of the products to be released soon.

“All of the vulnerabilities were disclosed to their respective vendors in the Chamber of Disclosures, and each will be working to address those issues through their own processes,” Gunn wrote.

The final day of the contest begins on Thursday at 10 a.m. PDT.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.