PWN2OWN results Day One - Java, Chrome, IE 10 and Firefox owned

Filed Under: Adobe, Adobe Flash, Apple, Apple Safari, Featured, Firefox, Google, Google Chrome, Internet Explorer, Java, Microsoft, Oracle, Vulnerability

pwned-icons-176Of the Big Four browsers, only Apple's Safari has so far survived the onslaught of the browser-breakers at PWN2OWN 2013

Chrome, Internet Explorer 10 and Firefox, all running on Windows, have already fallen by the wayside.

To remind you: in the world of PWN2OWN, "successful attack" means that merely by browsing to untrusted web content, you're able to inject and run arbitrary executable code outside the browser.

In the real world, that means you could pull off a drive-by install, where you bypass all intended protections, preventions and pop-up warnings from the browser.

In other words, you could put malware on remote users' computers without them being involved, or even aware.

As the competition rules explain:

A successful attack ... must require little or no user interaction and must demonstrate code execution... If a sandbox is present, a full sandbox escape is required to win.

However, if you're a Safari fan, don't get too excited about your browser's resilience just yet.

None of the PWN2OWN entrants are actually scheduled to take on Safari (the only non-Windows-hosted software in the competition), and we are unlikely ever to be sure why.

Was the combination of Safari and OS X too tough? Was the prize money too low? Do the browser-breakers consider OS X malware a secondary revenue stream not glamorous enough for the limelight of competitive hacking? Are the browser-breakers simply not up to speed on Safari and OS X hacking yet?

(Let's hope that Safari's victory over the attackers was true resilience, or even simply a lack of interest from the competitors, rather than that someone came up with an exploit but chose instead to sell it to the internet underworld.)

Java, plugged into Internet Explorer on Windows, also fell today - not once, but three times.

Here's HP's summary of the results so far:

The competition continues at midday on Thursday 07 March 2013, with VUPEN Security taking a crack at Adobe Flash and George Hotz trying out his skills on the Adobe Reader plugin.

When they're done, Pham Toan will have a crack at Internet Explorer 10.

If he succeeds, he'll only win a consolation prize because, as shown above, VUPEN already took down Microsoft's latest browser.

→ PWN2OWN contestants step up to the plate/crease in a randomly-chosen order. And since you only enter in the first place if you're pretty certain that you have an exploit that will work on the competition system, that usually means that it's first in, best dressed. Second and third place winners get kudos, but no cash.

With prize money at 70% of that for Chrome and IE, you'd assume that Flash and Reader are supposed to be easier to break. On the other hand, Safari was valued at just 65%, and no-one broke that.

So stay tuned. We'll let you know tomorrow how Flash and Reader stood up.

, , , , , , ,

You might like

14 Responses to PWN2OWN results Day One - Java, Chrome, IE 10 and Firefox owned

  1. Roscoe · 505 days ago

    Is this a legitimate comp or something we should be wary of? I do understand that, either way, we all shouldn't be complacent about security.

    • Paul Ducklin · 505 days ago

      It's legit, though Google (amongst others) fell out with it last year and withdrew its browser and its money because you could come along, show off your vulnerability, pwn the laptop, collect the cash...

      ...and then walk away without revealing your vulnerability to the browser maker, perhaps to sell your vulnerability to someone else (or to disclose it publicly, knowing it was verified to work).

      The competition is a bit more responsible now. You win the prize but the browser vendor gets access to your work and time to fix the flaw before world+dog gets told how to use the exploit.

  2. Nick · 505 days ago

    All good fun with lots of money being thrown around....but spare a thought for those of us in the trenches who are going to have to clean up the mess by spending countless hours patching thousands of vulnerable endpoints across multiple enterprises whilst begging our users in vain to browse safely and not to click on any link that comes their way.

    Would the vulnerabilities have arrived anyway? Of course...but it still leaves a bit of a bad taste in the mouth!

    • Craig · 505 days ago

      Really? You'd rather be scrambling to patch a bunch of systems because they're being actively exploited, than have competitions like this unearth the vulnerabilities, and have them released in a responsible manner?

      There is an active black market for vulnerabilities. Far better for people to make the money here, where the vulnerability gets displayed and fixed, than sold on the black market to be used for evil.

  3. Balthazar · 505 days ago

    The article suggests lack of interest as a possible reason Safari didn't fall. But I doubt it. This article....
    http://www.theregister.co.uk/2013/01/22/pwn2own_w...

    ....says the prize for hacking the Safari browser was set to $65,000. Who would lack interest in that much money? Java fell for just $20,000.

  4. Nigel · 505 days ago

    I'm not sure it's very smart to award all the cash prizes to those who happen to be lucky enough to be chosen first. It seems to me that such a system provides far less incentive to those who aren't chosen first. What's in it for them if the cash has already been awarded to someone else?

    I suppose they get the credit for having achieved the pwnation, and maybe that's enough for some. But what's to keep them from just saying "Forget it", and walking away to sell their exploits to the bad guys?

  5. John Baxter · 505 days ago

    The cynic says that everyone expected Miller to beat Safari in 10 seconds or so (as usual) and no one else bothered.

  6. Bill · 504 days ago

    People use Safari?

  7. MikeP_UK · 504 days ago

    The article seems to suggest that Safari running on Windows was not part of the 'game'. A number of people use it that way, but is it any more secure that the other browsers?

    Part of the security, or insecurity, may be due to the OS being used, any flavour of UNIX (such as OS X and Linux) tends to be less vulnerable than Windows. That may be because of smaller presence in the market so less interest in attacking.

    Could 'The Duck' clarify the position of Safari on Windows please?

    • Rick · 503 days ago

      Safari on Windows is dead, so there's no point in testing that configuration.

  8. Chuck · 504 days ago

    I'd be interested to know how well this works in Firefox with Noscript. And I would also like it tested with a browser sandboxed with Sandboxie.

    • Rick · 503 days ago

      @ Chuck–

      I think the the point is to hack with their default configurations, as how vast majority of people would use it. Most people on the street don't have a clue what NoScript is, or Sandboxie.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog