Adobe, Mozilla, Microsoft fall at Pwn2Own 2015

March 20, 2015 // 12:33 p.m.

Tags: #adobe-flash #adobe-reader #browser #exploit #firefox #flash #insecurity #internet-explorer #security #vulnerability #windows

Competitors in the Pwn2Own competition have successfully exploited previously-unpublished vulnerabilities in Adobe's Flash and Reader products, Firefox and Internet Explorer - and it's only day one.

Occurring alongside the CanSecWest security conference each year, Pwn2Own gives security experts devices running the latest operating systems and associated software and the challenge to exploit a vulnerability in them. The first to do so wins the hardware, and a far more significant cash prize thanks to sponsorship by Google's Project Zero and HP's Zero Day Initiative.

According to coverage of the first day of the event published by security specialist Kaspersky's Threatpost blog, the first day's targets have all fallen: Adobe Flash, Adobe Reader, Mozilla Firefox and Internet Explorer, netting the researchers responsible for the exploits an impressive $317,000 plus some shiny new laptops for their trouble.

The Adobe Flash exploit was reportedly targeting a previously-unknown heap overflow vulnerability in the popular multimedia plugin to run arbitrary code, then used an as-yet unpatched privilege escalation bug to get administrator-level access to the system and bypass security measures built into the Windows kernel - resulting in a total payout of $85,000 for the two teams involved. A second researcher, Nicholas Joly, used a further three vulnerabilities to break Flash further, earning him $90,000 in total.

Adobe's Reader product was also successfully cracked with two separate vulnerabilities for a $55,000 payout, while the open-source Firefox browser fell to Mariusz Młyński with two bugs for a $55,000 payout - although this hack related to an interplay between Firefox and Windows, and is not thought to affect installations of the browser on other operating systems. Microsoft itself, Kaspersky's Chris Brook reports, found its Internet Explorer 11 browser cracked by an uninitialised memory vulnerability which allowed for full system access - earning JungHoon Lee, a new competitor, $32,500.

The second day of the event will target Internet Explorer again, plus Apple's Safari and Google's Chrome browsers, and given the competition's previous results none are expected to escape unscathed.
Discuss this in the forums