Record prizes for Pwn2Own and Pwnium contestants
Posted on 13 March 2014.
The results of the first day of the traditional Pwn2Own hacking contest at the CanSecWest Conference currently taking place in Vancouver are in, and the losers are Adobe, Microsoft and Mozilla.


The team from French security firm and vulnerability/exploit vendor Vupen have raked in $300,000 by cracking Adobe Reader ($75,000), MS Internet Explorer 11 ($100,000), Adobe Flash ($75,000), and Mozilla Firefox ($50,000).

Firefox was compromised two more times on the same day by security researchers Mariusz Mlynski and Jüri Aedla, each of whom received the $50,000 prize.

"We've pwnd Adobe Reader XI with a heap overflow + PDF sandbox escape (without relying on a kernel flaw)," Vupen commented on its Twitter account. "We've pwnd IE11 on Win8.1 using a use-after-free combined to an object confusion in the broker to bypass IE sandbox."

It's interesting to note that Hewlett-Packard's Zero Day Initiative (ZDI) - the organizers of the event - changed some of the contest rules almost at the last minute, and the most important one is that everyone who succeeds to crack one of the targets will be rewarded, and not just the first team or individual who manages it. Of course, the vulnerabilities/exploits must be different.

"It was fascinating seeing the different ways that researchers are bypassing sandboxes and the ways they chained multiple vulnerabilities," ZDI manager of vulnerability research Brian Gorenc commented the day's results.

Before the contest started, Google's and ZDI's team participated in Pwn4Fun, a separate event that ended in the successful exploitation of a number of recently discovered vulnerabilities in Safari and IE. The prizes ($82,500 in total) were donated to the Canadian Red Cross.

Also on Wednesday, the first day of the Google-sponsored Pwnium contest ended with one researcher exploiting Chrome OS on an HP Chromebook 11, winning both the notebook and a prize of $150,000. The contest continues on Thursday.

Pwn2Own continues, and the scheduled "attacks" are against Safari, IE, Firefox, Flash and Chrome. Unfortunately, there are no scheduled contestants for the spectacularly announced Exploit Unicorn multi-product event.









Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //