bit-tech.net

Pwn2Own competitors crack Chrome, Firefox, IE and Java

Pwn2Own competitors crack Chrome, Firefox, IE and Java

The Pwn2Own contest, a regular event at the CanSecWest conference, has revealed serious security flaws in Chrome, Internet Explorer and Firefox.

The annual Pwn2Own contest, a regular feature of Vancouver's CanSecWest security conference in which hackers and crackers compete to be the first to breach the security on up-to-date computers, has its first results - and they're not good news for users of Chrome, Firefox or Internet Explorer.

Each year, Pwn2Own puts major cash prizes up for those who can breach the security of fully-patched consumer systems, including Windows 8, Windows 7, and OS X, by exploiting vulnerabilities in the systems' web browsers or relevant plugins. As well as cash - up to $100,000 for the top-tier Google Chrome or Microsoft Internet Explorer 10 targets - winners take home the hardware on which the software was running, hence the name of the event.

It's a popular event, and one which typically unveils flaws in each browser - and hopefully before the hordes of ne'er-do-wells that haunt the internet know about them. In 2010, the event saw fully-patched installations of Apple's Safari browser on OS X, Internet Explorer 8 and Firefox exploited by security researchers, along with an iPhone that had its private data sucked up by a previously unknown vulnerability in its stock web browser.

This year, the prizes are bigger than ever: the first hacker able to crack fully-patched versions of Google Chrome on Windows 7 or Internet Explorer 10 on Windows 8 can pick up a cool $100,000, while Internet Explorer 9 on Windows 7 gets a still-impressive $75,000. Mozilla Firefox, running on Windows 7, gets a security type $60,000 for their trouble, while Apple's Safari browser on a fully-patched OS X Mountain Lion install gets $65,000. Additionally, those who use browser plugins to exploit the system - rather than attacking a vulnerability in the browser directly - can pick up $70,000 from Adobe for a flaw in Flash or Reader XI, while Oracle is fronting $20,000 for anyone who finds a previously unknown vulnerability.

So far, the hackers are winning: in the first day of the contest, Chrome, Firefox and Internet Explorer 10 all fell to the researchers attacks. VUPEN, a company which has been criticised in the past for selling vulnerability code to the highest bidder, was able to secure the prizes for Internet Explorer 10 on Windows 8, Firefox on Windows 7 and - to nobody's great surprise, given the software's track record - Oracle's Java. In a break with tradition, the company also agreed to report the vulnerabilities to each software house so the flaws could be fixed - although it did not state outright that it would not also be adding the zero-day exploits to its price list for others to buy.

Chrome running on Windws 7, patched just days before the security conference began, fell to a researcher from MWR InfoSecurity which found two zero-day vulnerabilities which allowed it to bypass in-built protections. As the rules of the competition require, details of these vulnerabilities have been passed on to Google for patching.

The only tested to remain standing was Apple's Safari running on an up-to-date OS X Mountain Lion system. That's a surprise: in past events, Safari has typically been one of the first to fall. However, it's not a necessarily a reflection of the security of Apple's browser product: out of the software on trial, no researchers picked Safari as their target - meaning that the software has not actually proven itself against an active attack at the event. Meanwhile, the second day of the competition saw both of Adobe's products - Flash and Reader - fall to attacks.

9 Comments

Discuss in the forums Reply
Corky42 8th March 2013, 13:51 Quote
Firefox have already patched this exploit, same goes for Chrome AFAIK.
RichCreedy 8th March 2013, 13:54 Quote
Quote:
Originally Posted by Corky42
Firefox have already patched this exploit, same goes for Chrome AFAIK.

and in doing so so quickly have probably introduced new exploits
Ending Credits 8th March 2013, 13:59 Quote
What about Opera?
Corky42 8th March 2013, 14:31 Quote
Quote:
Originally Posted by RichCreedy
and in doing so so quickly have probably introduced new exploits

I wouldn't call it quickly, they received the technical details on Wednesday evening.
If anything this news article is days old.
Gareth Halfacree 8th March 2013, 15:05 Quote
Quote:
Originally Posted by Corky42
I wouldn't call it quickly, they received the technical details on Wednesday evening. If anything this news article is days old.
Days? The competition started on Wednesday night (GMT) and won't end until tonight. The only reason I'm publishing now is because I don't post on Saturdays, and Monday is too far away for it to be relevant.

(However, I did spot that the article had an early draft of the final sentence in place, which didn't include the results for Flash and Adobe Reader - I've now corrected that.)
Quote:
Originally Posted by Ending Credits
What about Opera?
The contest only puts up prize money for major browsers, and unfortunately Opera doesn't count: it has under 4 per cent of the market and dropping.
Corky42 8th March 2013, 20:00 Quote
I'm only going on what i read on the Mozilla blog, https://blog.mozilla.org/security/2013/03/07/mozilla-and-pwn2own-event/

Where they say "We received the technical details on Wednesday evening"
leexgx 9th March 2013, 06:11 Quote
to bad really as its an good browser (opera)

I use both chrome and opera, opera been the main browser for the most part
fargo 9th March 2013, 19:05 Quote
what about waterfox 64 bit browser just installed it and works great !!
Jester_612 9th March 2013, 19:53 Quote
Quote:
Originally Posted by leexgx
to bad really as its an good browser (opera)

I use both chrome and opera, opera been the main browser for the most part

This, except a component keeps crashing in it, and I've not worked it out.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums