Skip to main content

Google Chrome, Firefox and IE10 all taken down at Pwn2Own hacker contest

Researchers are earning big bucks at the annual Pwn2Own hacking contest, with teams taking down Chrome 25, Firefox 19, IE 10, and more.

In a blog post, MWR Labs said that it successfully compromised the most recent, stable version of Chrome as part of the Pwn2Own competition at the CanSecWest conference in Vancouver.

"We showed an exploit against previously undiscovered vulnerabilities in Google Chrome running on a modern Windows-based laptop," the company wrote. "By visiting a malicious webpage, it was possible to exploit a vulnerability, which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges."

A hack of Chrome on Windows 7 was worth $100,000 (£66,400). MWR promised a more in-depth breakdown of its hack once Google has patched the bug.

Meanwhile, Vupen Security said in a tweet that it "pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass."

The company also succesfully targeted Java, as well as Firefox "using a use-after-free and a brand new technique to bypass ASLR/DEP on Win7 without the need of any ROP."

Taking down IE10 on Windows 8 was also worth $100,000, while the Firefox pwn netted Vupen $60,000 (£40,000) and Java earned it $20,000 (£13,000).

Computer security consultant James Forshaw also sucessfully targeted Java, as did Joshua Drake.

Today at Pwn2Own, Vupen is taking on Flash, George Hotz is targeting Adobe Reader, and Pham Toan is going after IE10. Flash and Adobe Reader both include a $70,000 (£46,000) prize. Anyone who targets Apple Safari on OS X Mountain Lion, meanwhile, could land $65,000 (£43,000), but it does not appear that anyone has done so.

The competition is sponsored by HP's DVLabs Zero Day Initiative (ZDI). The group expanded its focus this year beyond browsers to include browser plug-ins because "we have seen browser plug-in vulnerabilities become increasingly popular in exploit kits and malware."

"These vulnerabilities affect a large percentage of the Internet community and are quickly weaponized by attackers," ZDI said. "That being said, we are not forgetting about the browser as we will again be focusing on finding, demonstrating, and responsibly disclosing vulnerabilities in all the popular Web browsers."

Also this week, meanwhile, Google is hosting Pwnium 3. The contest - which includes more than $3 million (£2 million) in prize money - will focus on Chrome OS rather than the Chrome browser. Google said in January that it has been working with ZDI on the conference's rules and decided that since Chrome is already featured in the larger Pwn2Own competition, Pwnium 3 will have a new focus: Chrome OS.