Firefox, Safari And Internet Explorer Are All Broken At Pwn2Own

A whopping $400,000 has already been given out at the Pwn2Own hacking contest this week, with three of the world’s most popular browsers exploited by participants.

France-based exploit merchant Vupen walked away with most of the day one prize money, winning $300,000 for showing off exploits of Adobe Flash, Reader, Internet Explorer and Mozilla Firefox.

The Adobe and Firefox breaches allowed for code execution, whilst the IE hack resulted in a sandbox bypass, both of which criminal hackers often aim to achieve.

Pwn2Own successes

Google showed off a “very impressive” hack of Apple Safari running on Mac OS X, whilst a handful of vulnerabilities were used in attacks on Firefox by two other researchers, Pwn2Own organisers said.

Indeed, Mozilla will have to get patching, as one flaw allowed for privilege escalation within the browser and another could have been used to bypass browser security measures.

Researchers from the HP Zero Day Initiative also presented a multi-stage exploit, including a sandbox bypass, against Internet Explorer. The ZDI and Google teams gave their prize money of $82,500 to the Canadian Red Cross.

“All vulnerabilities were disclosed to their respective vendors in the Chamber of Disclosures, and each will be working to address those issues through their own processes,” organisers said.

The second and final day of the competition starts later today. No one has yet achieved the Exploit Unicorn, a new contest requiring the researcher to exploit Microsoft Windows Internet Explorer 11 running on 64-bit Windows 8.1, with the Enhanced Mitigation Experience Toolkit (EMET) turned on.

Observers will be pleased to see Vupen disclosing flaws. A matter of years ago it refused to do so, saying its findings were only for its customers. The company, which has courted controversy in the past, is busy expanding and had plans to launch a London office in the not-too-distant future.

Are you a security expert? Try our quiz!