PWN2OWN results Day Two - Adobe Reader and Flash owned, Java felled yet again

Filed Under: Adobe, Adobe Flash, Apple, Apple Safari, Featured, Firefox, Google, Google Chrome, Internet Explorer, Java, Microsoft, Oracle, PDF, Security threats, Vulnerability

PWN2OWN 2013 is over.

Day Two ended in a similar fashion to Day One, with everyone who went in to bat slugging the ball into the crowd.

Yesterday, all the mainstream browsers (sorry, Opera fans!) except for Safari fell, though no-one actually tried Safari and failed.

Java fell three times yesterday, though under the contest rules, only the first attacker was due to win the $20,000 prize.

But in a fit of largesse, the sponsors announced that they'd pay up not just to the first successful attacker in each category, but to everyone who popped any of the products:

That put a biggish additional lump of cash on the table, with two more Java attacks to pay out on from yesterday ($40k), and a possible $100k extra if Pham Toan's scheduled attack on IE 10 worked out.

As it happened, IE 10 wasn't owned today.

From the results shown below, it looks as though Pham didn't actually make his attempt, as he's no longer listed at all, not even as trying and failing.

But a pre-registered contestant named Ben Murphy stepped up instead.

Not in person, but through a proxy (I assume this means a human proxy appearing live but following Ben's instructions), who successfully popped Java for a fourth time in the competition.

The final results look like this:

With HP's announcement that everyone will get paid for each attack, the prize monies will be divvied up as follows:

  • James Forshaw: Java = $20K
  • Joshua Drake: Java = $20k
  • VUPEN Security: IE10 + Firefox + Java + Flash = $250k
  • Nils & Jon: Chrome = $100k
  • George Hotz: Adobe Reader = $70k
  • Ben Murphy: Java = $20k

The total damage to the prize fund comes out at a whopping $480k.

That's only a fraction of the $π million that Google put up independently for its own Pwnium competition, held in parallel.

That was a chance to hack Chrome OS, Google's locked-down/open-source "browser is the operating system" platform that is largely based around the Chrome browser.

Chrome OS, like Android, is built on a Linux base.

In a similar way that Android has been adapted to suit mobile applications on phones and tablets, Chrome OS is adapted for web applications and the cloud.

Google will no doubt be rejoicing, from both a financial and a marketing point of view, because no-one managed to own the Chromebook (Google's name for laptops designed to run Chrome OS) used in the Pwnium 2013 contest.

And that ends the fun-and-games at this year's CanSecWest conference.

Now all that remains is to discuss whether this sort of "hacking as a professional sport" is the right way to encourage vulnerability research.

What do you think?

Is this competitive approach to vulnerabilities and exploits creating a market for malware that might end up out of control?

Or is it simply matching willing sellers with willing buyers, with some of the the edginess of sports-like competition thrown in?

Let us know your opinion in the comments below...

, , , , , , , , , , ,

You might like

6 Responses to PWN2OWN results Day Two - Adobe Reader and Flash owned, Java felled yet again

  1. JimboC_Security · 537 days ago

    Pwn2Own has been running for 8 years so I don’t believe that it is “creating a market for malware that might end up out of control.” If something was wrong with this approach we would very likely have noticed it by now. An exception was last year’s Pwn2Own which did not require participants to hand over their exploit hand code, thankfully this year this was not the case.

    As I have stated previously I like to see competitions such as this taking place since it allows the vendors of commonly used applications to see what exploits their products are vulnerable to, how to defend against them, fix these flaws and then make these fixes available to their customers all without causing malware infections or data loss. This has to be a good thing. The security researchers certainly seem to like it too since they are well paid for it and also receive notoriety.

    I have already noticed that new versions of Firefox (v19.0.2) and Google Chrome (v25.0.1364.160) are available which address the flaws used at Pwn2Own. Users are already seeing the benefits of this competition.

  2. JimboC_Security · 536 days ago

    Some final comments are that Adobe received lots of praise from Vupen’s CEO Chaouki Bekrar about the robust security of Adobe Flash. This shows that we should have more confidence in it since such comments aren’t said likely. Yes we still update Flash far too often, but we would need to update it even more if Adobe had not incorporated more secure coding practices into the development of Flash.

    Also IE 10 was praised for how long it took Vupen to find a flaw in it and then make a reliable exploit for it. It took weeks for both stages. Again this should give us confidence since the browsers we are using today are more secure than ever. Yes they are not impregnable but it is no longer trivial to exploit them.

    For more info about browser security in relation to this year’s Pwn2Own, please see the following links:
    http://threatpost.com/en_us/blogs/pwn2own-browser...
    http://threatpost.com/en_us/blogs/firefox-java-fl...

    My apologies to Sophos for linking to external sources.

    Thank you.

  3. Boom · 536 days ago

    Are there other pwn2own competitions in other areas of the world?

    I think security/OS companies could learn a lot if they held this competition in different locations a few times a year (US in January, China in March, Russia in June...).

    Also it is a very good practice to reward any new exploit that was used to pwn any of the software, not just the first pwner. That way everyone won't mind using their hack even if they are the 10th person in line.

    I would also be curious to see how fast the flavor of the month (meaning the most used) Linux would fall in these competitions.

    • JimboC_Security · 536 days ago

      Hi Boom
      -------------------
      “I think security/OS companies could learn a lot if they held this competition in different locations a few times a year (US in January, China in March, Russia in June...).”
      -------------------

      I think you are right, this could easily result in more vulnerabilities being found. It would be interesting to see what other exploits more security researchers could come up with.

      -------------------
      “Also it is a very good practice to reward any new exploit that was used to pwn any of the software, not just the first pwner. That way everyone won't mind using their hack even if they are the 10th person in line.”
      -------------------

      Good point, as Paul mentioned above ZDI actually did decide to pay for every flaw found and not just the first person to pwn an application but it was a change they made after the competition had started.

      Thanks.

  4. Joseph Tren · 536 days ago

    Oh! George Hotz! Renowned Wii and iPhone hacker.

  5. airmanchairman · 534 days ago

    HP put up $75.000 for each successful hack of Safari on OS X Mountain Lion, and apparently either no-one took up the challenge, or no-one succeeded.

    Reporting has also been threadbare on how Safari fared on most blogs that covered pwn2own, with some not mentioning it at all.

    Why the fog and falsehood, I wonder?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog