If there was ever any doubt that security is a process and not a product, the results of HP Zero Day Initiative's (ZDI) annual Pwn2Own hacking contest will lay those doubts to rest. All the major Web browsers—Chrome, Firefox, Internet Explorer (IE), and Safari—were cracked by the end of the two day competition.
Before the Pwn2Own contest itself began, two of the game's sponsors, Google and ZDI, showed up their own browser cracks in an event called Pwn4Fun. First, Google cracked Apple Safari 7 on a fully patched version of Mac OS X Maverick like an egg. At the end of the exploit, Google was running Calculator as root.
ZDI, for its part, showed "a multi-stage exploit, including an adaptable sandbox bypass, against Microsoft Internet Explorer, launching Scientific Calculator (running in medium integrity)" in IE 11 running on an up-to-date patched Windows 8.1 x64 PC. While it wasn't as complete a crack as Google's on Safari, it was still a crushing blow.
Some security experts objected to Google and ZDI showing off these exploits. Google security engineer Chris Evans told the security publication Threatpost that Google had shared the vulnerability with Apple beforehand. HP ZDI added that they had reported the zero day holes they used, along with six more IE security holes, to Microsoft.
When the real Pwn2Own competition began, and all the browsers and associated Web browser programs, including Adobe Flash and Reader, began to fall.
First, Firefox 27 went down to three different attacks on Windows 8.1 x64 PC. Then Team VUPEN, an elite French group of security experts, took out the latest versions of Adobe Flash and Reader, and followed this up by exploiting both other security holes in IE 11 and Firefox 27.
And that was just the first day of the competition. The next day, all the browsers, including Google Chrome, got blasted again.
According to HP's results coverage, the newly patched Chrome went down to an "arbitrary read/write bug with a sandbox bypass resulting in code execution. Upon review, contest judges declared this a partial win due to one portion of the presentation’s collision with a vulnerability presented earlier at Pwnium."
Chrome wasn't out of the woods yet. VUPEN cracked it with an attack that popped it open with a sandbox bypass, resulting in code execution, that worked against both the Blink and WebKit Web-rendering engines.
The other browsers were also in for more pain. IE 11, Firefox 27, and Safari 7 all got hammered before the competition came to an end. Only one hacker prize was left unclaimed--the "Unicorn" of a system-level code execution on a Windows 8.1 x64, in IE 11 x64, with an Enhanced Mitigation Experience Toolkit (EMET) bypass.
At Pwn2Own's end, $850,000 had been awarded to the white-hat hackers, leaving the browser developers a lot of patch work to do. The most important result of Pwn2Own as Chaouki Bekrar, VUPEN CEO told CNET, was it showed that "even the most secure software can be compromised by a team of researchers with enough resources." As it was in the beginning, is now and ever shall be, security is a process not a product.
- Pwn2Own: 14 browser and plugin exploits the NSA won't be buying
- CNET: Google fixes 7 Chrome security holes just before CanSecWest
- All hacking eyes on the prize money at CanSecWest
- NSA: Our zero days put you at risk, but we do what we like with them
- Security 2014: The holes are in the apps, not the operating systems