The annual Pwn2Own hacking contest gives prizes to people who successfully hack popular web browsers. This year’s event took place at the usual venue: Vancouver’s CanSecWest security conference. Hewlett-Packard’s Zero Day Initiative Program sponsored the contest.
A look at the Pwn2Own contest
The hacking contest pits researchers against the latest versions of top four browsers. The contest is to see if web-based attacks can properly execute rogue code in underlying systems. This year’s winner is JungHoon Lee, who successfully hacked Internet Explorer 11 and Google Chrome on Microsoft Windows. He also hacked Apple’s Safari on Microsoft Windows.
Lee also won a total of $225,000 in prize money. This total does not include the brand new laptop computers he got to keep after exploiting the flaws. His attack on Chrome garnered him the largest payout for a single exploit in the entire history of the competition. It includes $75,000 for the bug, $25,000 for privilege escalation and an additional $10,000 for hitting the beta version of the browser.
Lee’s Internet Explorer exploit earned him an extra $65,000 and the Safari hack earned him $50,000. Perhaps the most remarkable thing about Lee’s exploits is that he worked alone rather than in a group unlike most of the researchers in the competition.
An impressive hack on Internet Explorer 11
One group of hackers that goes by the name of 360Vulcan Team, broke into Internet Explorer 11 in just 17 seconds. That is quite a feat considering IE 11 comes with an enhanced sandbox, 64-bit process, EMET and security mechanisms of 8.1. The team bypassed all those measures a very short amount of time, and it shows just how vulnerable the browser is even with all the extra “protections”.
A majority of the hacks at this year’s Pwn2Own required changing of multiple vulnerabilities together to bypass all the defense mechanisms originally put in place by browsers to prevent remote code executions.