Pwn2Own Hackers Down Browsers, Java, Adobe Plug-ins

It was a good day for security researchers after they claimed nearly $500,000 (331,895 pounds) in bounties for demonstrating previously unknown – or zero-day – attacks.

The sucessful attacks were carried out against all major browsers and three popular browser plug-ins at the annual Pwn2Own competition at the CanSecWest conference in Vancouver, British Columbia.

Hacking Contest

The three-day contest, which ends on 8 March, requires that security professionals play the role of attackers and compromise fully patched versions of popular browsers running on Windows 8 and Mac OS X. After a successful attack, which requires that the researcher gain control over the target system, the contestants must turn over the details of the vulnerability to Hewlett-Packard’s Zero Day Initiative (ZDI), which runs the competition. Those details are then passed to vendors to be patched.

“All of these individuals who come in and participate in the competition, they are bringing zero days that were not known at the time of the competition,” said Brian Gorenc, manager of vulnerability research for HP’s Security Research Labs. “So it is bleeding edge research, especially when it comes to bypassing the sandboxes and the various plugins and browsers, which is why we offer the money we do.”

The company will pay two teams of researchers – offensive security firm VUPEN and a pair of researchers – $100,000 (66,000 pounds) each for finding and exploiting critical flaws in Microsoft’s Internet Explorer 10 and Google’s latest version of the Chrome browser. In addition, the flaws found in Adobe’s Flash and Reader plugins will net VUPEN and researcher George Hotz each $70,000 (46,000 pounds). Finally, the successful compromise using Mozilla’s Firefox will earn VUPEN another $60,000 (40,000 pounds) and four separate exploits of Java will net the researchers who found them $20,000 (13,300 pounds) each.

HP co-ordinated with each affected software developer to get the information on the flaws to the appropriate security team.

Java Suffers

Oracle’s Java SE was the hardest hit in the competition, with researchers revealing four vulnerabilities from three different classes of security issues. The last month has been hard for Oracle, as the company has had to release three emergency patches for its Java plug-in, including one patch right before the Pwn2Own competition.

“You are seeing more and more Java being utilised to launch attacks against companies, governments and consumers,” HP’s Gorenc said. Going into the competition, “we were not quite sure what we were going to see, but it was nice to see three different types of bugs come into the program.”

Bounties paid out by the competition have steadily increased since the initial content, and the format has changed as well. For the last two years, ZDI had implemented a point system for each compromise.

A decade ago, vulnerability researchers generally fell into two camps: those that co-operated with software vendors to get vulnerabilities fixed, and those that published the information without warning – so-called full disclosure – in an attempt to shame the vendor. Increasingly, however, researchers are seeking to get paid for their endeavors. Programs like HP’s Zero Day Initiative pay a modest amount for vulnerability research. Private buyers – most often governments – pay much better rates.

Yet, the Pwn2Own competition’s recent prizes have started to get close to the six-figure payouts typically only paid by government buyers.

Are you a security pro? Try our quiz!

Originally published on eWeek.