Yesterday, we wrote up the half-time scores at the PWN2OWN 2014 competition at CanSecWest in Vancouver, Canada.
On Day One, six of seven planned attack attempts were successful, with only Oracle Java remaining unbroken.
On Day Two, the results were nearly as good (or bad, if you were the products), with 5.6 out of eight attacks hitting their targets.
That curious looking “5.6” is because Chrome was pwned twice, but the competition umpires deemed that 40% of one of the attacks was not original, albeit that the vulnerability used was not patched and the attack succeeded.
Only one attack that was actually attempted ended in failure, with IE 11 holding up against Jung Hoon Lee of ASRT.
The other unsuccessful attack on Day Two was Vupen’s attempt at Safari on OS X, which was abandoned altogether.
Here’s what happened on Day Two:
The combined results over the two days are as follows, sorted by payout:
The sponsors ended up paying out $850,000 of the $1,085,000 prize money pool.
In addition, a Sponsor versus Sponsor challenge, PWN4FUN, resulted in two successful attacks, and a combined donation of $82,500 to the Canadian Red Cross.
PWN4FUN took place on Day One, in the two hours before the competition proper got under way, with experts from HP and Google facing off in some community-spirited competitive hacking.
Google’s hackers broke out of Safari, and HP’s crew managed to escape from IE 11.
Of course, both teams ran the operating system’s built-in Calculator app – de rigueur when you are demonstrating remote code execution – but HP’s hackers added an amusing and theatrical touch by opening the Windows CALC.EXE program in Scientific Mode.
The Googlers, too, went over and above the call of duty, and ended up with the OS X calculator running as root.
That means they achieved remote code execution and privilege escalation: the most desirable sort of exploit to a crook, and the most worrying to a system administrator.
→ There are still OS X threat deniers out there who tell us that they consider malware in its traditional sense to be impossible on OS X, “because you have to click on and run a program by yourself and then type your admin password into the warning popup.” But as Google’s hacking crew just showed, a determined attacker can sidestep both of those giveaways when launching malware.
Big winners Vupen aimed high, entering to take on all seven products, and succeeding five times.
They will return to France with a tidy $400,000 – just a shade under half of the total payout.
Even if they have to pay French VAT and company tax, at rates of roughly one-fifth and one-third respectively, they should still net about $251,000 – a cool quarter million.
Not bad for five 30-minute passages of play!
Of course, like winning the Superbowl final, or lifting the FIFA World Cup, there was a lot more that went into the Vupen team’s success than just the final public proof of concept.
So, just how much work did go on behind the scenes to put Vupen’s attackers into a position from which they could pull in that sort of money in two days?
The company isn’t saying.
10 comments on “PWN2OWN Day Two – Chrome and Safari join the losers”
Soooooooo what does this all mean in layman’s terms? Should I stop using Firefox?
I assume it is the default FF with no add-ons.
I would love to see a pwn2own competition against FF with some popular security related add-ons. Noscript for example.
Only if you want to… I’m not going to.
All the vulns used by the pwners were revealed to the vendors as part of the competition. Look out for new versions of all affected products soon.
In layman’s terms, it means that you’re likely vulnerable to some degree no matter what platform you are using, and that some significant bugs will now be fed back to the developers to fix.
I don’t intend to give up on Firefox. (FWIW, the competition was FF on Windows 8.1 64-bit, so the exploits used may not be practicable on other platforms – I am on OS X.)
All browsers in the competition were owned.
So…is FF weaker because of its lower prize money, or did it have lower prize money because techies love it so the sponsors thought it would be the most commonly attacked and thus perhaps the most expensive 🙂
Remember: this is “professional driver, closed track” stuff. Not saying the crooks couldn’t do the same, but these are [a] not everyday holes [b] will now be fixed [c] can be mitigated by other parts of a defence in depth approach (firewall, anti-virus, non-default stricter browser settings, gateway web filtering, EMET on Windows, plugins like NoScript, and more).
Modern Internet Explorer with EMET did not get owned.
Very true – there was a Grand Prize of $150,000 for pwning IE 11 plus EMET (Enhanced Mitigation Experience Toolkit, a sort of “sandbox for your sandbox”). No-one tried it.
But you *also* had to “get root” (SYSTEM privilege on Windows) to win.
I pondered why not in the Day One article:
Could be that it was too hard. (Let’s hope – though Google did the equivalent on OS X in the PWN4FUN contest.) Could be that someone else offered more than $150,000 🙂 (Vupen, for example, openly advertises that it produces exploits for defensive and offensive purposes.)
No Script was such a pain to use. Since I know very little about this stuff I never knew what to allow, so I can let through what I wanted to let through. Any ideas from you experts so that I can start using it again. Please use elementary school words.
NoScript is great, I use it non-stop. It is, however, a hammer that sees everything as a nail. My attitude is I walk away from many sites without participating because the website is too reliant on scripting. Other people may be more lenient and happily enable scripting willy nilly. The thing is the moment you enable scripting on a site, you’ve disabled your protection. Another couple of plugins that help is Request Policy, and also Ghostery.
NoScript with most scripts allowed isn’t very effective. Unfortunately, I can’t think of an easy way to explain its use without confusing you.
Best bet is to look for help and tutorials online that can help you; perhaps even visiting the developer’s site?