At this year’s annual Pwn2Own contest, the four major browsers namely Microsoft Internet Explorer 11, Mozilla Firefox, Apple Safari, and Google Chrome were tested at the hands of talented contestants and surprisingly, none of them stood its ground.
Every year, hackers will have the chance to show off their skills at the CanSecWest conference in Vancouver. It is obvious that this conference allows major companies to see how safe their digital security are.
This meant if talented people stood out and break the security, they have the chance to win lots of money! On this year’s Pwn2Own contest, the one that won a lot was a researcher named Jung Hoon Lee, aka lokihardt.
Jung Hoon Lee Won A Total Of $225,000
Lee exposed an exploit during the contest that took down both the stable and beta versions of Google Chrome (a browser said to be not an easy prey for hackers) but he did so anyway. He started it with a buffer overflow and taking advantage of its race condition; and a few executions later, it then lead to a full system access. This impressive feat earned him a total of $110,000 from Google Chrome alone.
Later on, he tested his skill on a 64-bit IE 11 and again, the security was no match for his prowess. He bypassed Windows defenses by unleashing a sandbox escape through privileged JavaScript injection. The feat won him $65,000.
After dealing with the previous two browsers, he then took on Apple’s Safari browser. By demonstrating a use-after-free exploit and with the use of a separate sandbox escape. Again, the browser was found to be insecure. He then won $50,000 for that hack alone, bringing his total winnings to $225,000.
Other PC Software That Got Hacked
While Jung Hoon Lee took on the three browsers, other contestants took on other software of their own:
Adobe Flash
- Brought down by the teams Team509 and KeenTeam by using a heap overflow remote code execution vulnerability in Flash which lead to the bypassing of all defensive measures. The teams were awarded $60,000 and a bonus of $25,000 for the SYSTEM escalation.
Adobe Reader
- Nicolas Joly took it down through a stack buffer overflow. He took it forward by leveraging an integer overflow to exploit the broker and won $60,000 for it. He also grabbed $30,000 for his efforts on Adobe Flash by exposing a bug.
- KeenTeam also took down Adobe Reader down with an integer overflow that leads them to a SYSTEM access. It got them a total of $130,000.
Mozilla Firefox
- Mariusz Mlynski has other plans and took down Mozilla Firefox through a cross-origin vulnerability and privilege escalation within the browser. This earned him a total of $55,000, including the $25,000 bonus he got for the privilege escalation.
Browsers Exposed
With the results, it only goes to show that with talented hackers out there, we are all potential victims as long as we’re in the internet. Thankfully with the help of the contestants, these bugs and possible ways of hacking our system are revealed and can now be secured.
