Thread: Chrome, Firefox, IE Fall Quickly in Hacking Contest

Ben Weitzenkorn
March 07 2013 04:11 PM ET

Entrants in this year's Pwn2Own hacking contest defeated the security features of Google Chrome 25, Mozilla Firefox 19 and Microsoft Internet Explorer 10 on the first day of the contest yesterday (March 6).

Last year's big Pwn2Own winner, French vulnerability-hunting firm VUPEN, said it used two zero-day (previously unknown) exploits to overpower IE10's security to compromise a fully patched Microsoft Surface Pro tablet running Windows 8.

"We've pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass," Chaouki Bekrar, VUPEN chief executive officer and head researcher, broadcast on Twitter yesterday.
For its efforts, the VUPEN team won $100,000 before going on to win another $60,000 for an exploit of Firefox 19.

Two researchers from security firm MWR Labs managed to bypass Chrome 25's security with several zero-day exploits both in the browser and the operating system. Google had patched the latest version of Chrome just three days ago.

Java 7 also had its security pushed past the breaking point, netting one researcher $20,000. Java's maker, Oracle, has had a rough 2013 so far, having already patched the self-contained Java software environment five times in less than three months.

No one tried to crack Apple Safari, which would have garnered a $65,000 prize.

Pwn2Own winners also get to keep the contest-provided laptops upon which their exploits are demonstrated.

As per this year's Pwn2Own contest rules, VUPEN disclosed all vulnerabilities used to compromise the systems.

Last year, the rules were different, and VUPEN didn't have to reveal how it cracked the then-current version of Chrome.

The 2012 rules prompted Google to pull out of Pwn2Own and set up the rival Pwnium contest, which this year is offering $3.14159 million — pi million dollars — for various successful exploits of Google's full-fledged Chrome operating system (not to be confused with the stand-alone Chrome browser).

VUPEN and a few other firms make their money by discovering unknown vulnerabilities and selling the secrets to the highest bidder, a practice frowned upon in the information-security community.

By choosing to participate in this year's Pwn2Own, VUPEN may have given up potential profits. Top zero-day exploits can sell for hundreds of thousands of dollars.

Pwn2Own is part of the CanSecWest security conference in Vancouver, British Columbia, which began yesterday and continues tomorrow (March 8).