PWN2OWN results Day Two – Adobe Reader and Flash owned, Java felled yet again

PWN2OWN 2013 is over.

Day Two ended in a similar fashion to Day One, with everyone who went in to bat slugging the ball into the crowd.

Yesterday, all the mainstream browsers (sorry, Opera fans!) except for Safari fell, though no-one actually tried Safari and failed.

Java fell three times yesterday, though under the contest rules, only the first attacker was due to win the $20,000 prize.

But in a fit of largesse, the sponsors announced that they’d pay up not just to the first successful attacker in each category, but to everyone who popped any of the products:

That put a biggish additional lump of cash on the table, with two more Java attacks to pay out on from yesterday ($40k), and a possible $100k extra if Pham Toan’s scheduled attack on IE 10 worked out.

As it happened, IE 10 wasn’t owned today.

From the results shown below, it looks as though Pham didn’t actually make his attempt, as he’s no longer listed at all, not even as trying and failing.

But a pre-registered contestant named Ben Murphy stepped up instead.

Not in person, but through a proxy (I assume this means a human proxy appearing live but following Ben’s instructions), who successfully popped Java for a fourth time in the competition.

The final results look like this:

With HP’s announcement that everyone will get paid for each attack, the prize monies will be divvied up as follows:

  • James Forshaw: Java = $20K
  • Joshua Drake: Java = $20k
  • VUPEN Security: IE10 + Firefox + Java + Flash = $250k
  • Nils & Jon: Chrome = $100k
  • George Hotz: Adobe Reader = $70k
  • Ben Murphy: Java = $20k

The total damage to the prize fund comes out at a whopping $480k.

That’s only a fraction of the $π million that Google put up independently for its own Pwnium competition, held in parallel.

That was a chance to hack Chrome OS, Google’s locked-down/open-source “browser is the operating system” platform that is largely based around the Chrome browser.

Chrome OS, like Android, is built on a Linux base.

In a similar way that Android has been adapted to suit mobile applications on phones and tablets, Chrome OS is adapted for web applications and the cloud.

Google will no doubt be rejoicing, from both a financial and a marketing point of view, because no-one managed to own the Chromebook (Google’s name for laptops designed to run Chrome OS) used in the Pwnium 2013 contest.

And that ends the fun-and-games at this year’s CanSecWest conference.

Now all that remains is to discuss whether this sort of “hacking as a professional sport” is the right way to encourage vulnerability research.

What do you think?

Is this competitive approach to vulnerabilities and exploits creating a market for malware that might end up out of control?

Or is it simply matching willing sellers with willing buyers, with some of the the edginess of sports-like competition thrown in?

Let us know your opinion in the comments below…