They managed to bypass the browser's DEP and ASLR protection with a 0-day heap overflow vulnerability, and then used a separate memory corruption bug to break out of its Protected Mode, which is effectively a sandbox.
According to VUPEN founder Chaouki Bekrar, these particular flows have existed in previous incarnations of the browser - all the way back to IE 6 - and will very likely work on the upcoming IE 10.
He said it took two of their researchers six weeks of full-time work to develop and exploit for the browser. "When you have to combine many vulnerabilities and bypass all these protections, it takes a longer time," he commented.
According to ZDNet, he also said that the memory corruption bug they used is only one of the many vulnerabilities they found that can be used to break out of IE's Protected Mode, but also admitted that the new IE 10 will be much harder to break into, as Microsoft has added new protection mechanisms.
If the VUPEN team wins the contest, Microsoft will get its hands only on the information regarding the heap overflow bug. "We will keep the Protected Mode bypass private for our customers,” said Bekrar.
So far, the team is definitely at an advantage, but nothing is settled yet as Vincenzo Iozzo and Willem Pinckaers, two former PWN2Own winners, have entered the arena.
In the meantime, it has been confirmed that security researcher Sergey Glazunov will be receiving the $60,000 prize he earned yesterday at the Google-sponsored Pwnium contest.
The bugs he used to bypass Chrome's sandbox have already been patched by Google by pushing out a new version of the browser that includes a fix.