Crash, bang, boom: Down go all the major browsers at Pwn2Own

Crash, bang, boom: Down go all the major browsers at Pwn2Own

Summary: Well, that was ugly as sin. None of the major Web browsers--Internet Explorer, Chrome, Firefox or Safari--could withstand hacker attacks at Zero Day Initiative's Pwn2Own hacking competition.


If there was ever any doubt that security is a process and not a product, the results of HP Zero Day Initiative's (ZDI) annual Pwn2Own hacking contest will lay those doubts to rest. All the major Web browsers—Chrome, Firefox, Internet Explorer (IE), and Safari—were cracked by the end of the two day competition.

The HP ZDI team celebrating after cracking IE 11 on a fully-patched Windows 8.1 x64 laptop. (Credit: HP ZDI)

Before the Pwn2Own contest itself began, two of the game's sponsors, Google and ZDI, showed up their own browser cracks in an event called Pwn4Fun. First, Google cracked Apple Safari 7 on a fully patched version of Mac OS X Maverick like an egg. At the end of the exploit, Google was running Calculator as root.

ZDI, for its part, showed "a multi-stage exploit, including an adaptable sandbox bypass, against Microsoft Internet Explorer, launching Scientific Calculator (running in medium integrity)" in IE 11 running on an up-to-date patched Windows 8.1 x64 PC. While it wasn't as complete a crack as Google's on Safari, it was still a crushing blow.

Some security experts objected to Google and ZDI showing off these exploits. Google security engineer Chris Evans told the security publication Threatpost that Google had shared the vulnerability with Apple beforehand. HP ZDI added that they had reported the zero day holes they used, along with six more IE security holes, to Microsoft.

When the real Pwn2Own competition began, and all the browsers and associated Web browser programs, including Adobe Flash and Reader, began to fall.

First, Firefox 27 went down to three different attacks on Windows 8.1 x64 PC. Then Team VUPEN, an elite French group of security experts, took out the latest versions of Adobe Flash and Reader, and followed this up by exploiting both other security holes in IE 11 and Firefox 27.

And that was just the first day of the competition. The next day, all the browsers, including Google Chrome, got blasted again.

According to HP's results coverage, the newly patched Chrome went down to an "arbitrary read/write bug with a sandbox bypass resulting in code execution. Upon review, contest judges declared this a partial win due to one portion of the presentation’s collision with a vulnerability presented earlier at Pwnium."

Chrome wasn't out of the woods yet. VUPEN cracked it with an attack that popped it open with a sandbox bypass, resulting in code execution, that worked against both the Blink and WebKit Web-rendering engines.

The other browsers were also in for more pain. IE 11, Firefox 27, and Safari 7 all got hammered before the competition came to an end. Only one hacker prize was left unclaimed--the "Unicorn" of a system-level code execution on a Windows 8.1 x64, in IE 11 x64, with an Enhanced Mitigation Experience Toolkit (EMET) bypass.

At Pwn2Own's end, $850,000 had been awarded to the white-hat hackers, leaving the browser developers a lot of patch work to do. The most important result of Pwn2Own as Chaouki Bekrar, VUPEN CEO told CNET, was it showed that "even the most secure software can be compromised by a team of researchers with enough resources." As it was in the beginning, is now and ever shall be, security is a process not a product.

Related Stories:

Topics: Security, Browser, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Contest has changed over the years

    Who gained root through Firefox on Ubuntu or Fedora? Absolutely nobody even tried, because trying without success doesn't earn enough headlines.
    • asmoore82: "Who gained root through Firefox on Ubuntu or Fedora?"

      Will an exploit of Google's Chrome OS via the Chrome browser do? At Pwnium 2014, which ran concurrently with Pwn2Own, there was one demonstrated exploit for the HP Chromebook 11 confirmed for a $150,000 reward and another, possible, partial exploit of the same:

      Note, in particular, the $150,000 USD award details here:

      "Show off your security skills: announcing Pwnium 4 targeting Chrome OS
      "$150,000 USD: compromise with device persistence: guest to guest with interim reboot, delivered via a web page"

      Remember that Chrome OS is built using Gentoo (hardened Gentoo?) as a starting point. And, since Gentoo is GNU/Linux, that makes Chrome OS GNU/Linux (even Richard Stallman agrees).

      P.S. I am looking forward to an article from Steven on Pwnium 2014 very soon. Once Google releases the details.
      Rabid Howler Monkey
      • Re: Pwnium 2014

        The Stable Channel has been updated to 33.0.1750.12 for Windows, Mac, and Linux.

        The Stable channel has been updated to 33.0.1750.152 (Platform version: 5116.115.4/5116.115.5) for all devices. This build contains security fixes for Pwnium and
        • .

          Stable Channel Update
          The Stable Channel has been updated to 33.0.1750.152 for Mac and Linux and 33.0.1750.154 for Windows.
      • What got me..

        was that the Chrome exploit at HP's event was only partially recognized, because part of the attack was also used at Pwnium.

        Hacked is hacked, the bug hadn't been patched, just because it was also used at a different event doesn't mean it is invalid - although I can understand reducing the payment if the same group used the same hack at both events.
        • I can see their point in the sense that

          they used the exploit, and then it was used at another event before it was fixed - At that point everyone knows it exists, but from the BUSINESS standpoint, which Google is, Google has to fix it without making things worse in another area, which takes some time.

          Business is a totally different entity then a hacking contestant.
        • Hacked is not hacked

          ZDI = Zero Day Initiative. It's not "hacked again using previously known methods", it's "hack using previously unknown methods". If you don't understand that, look up "zero day".
      • With ChromeOS...

        ...does Chrome run as an unprivileged user, or as root? The latter would be bad. I'll note that on conventional Linux systems, a browser runs with the permissions of the user, and only fools do ordinary work as root.
        John L. Ries
  • Bahahahaha....

    Google is crap.
    • Meh!

    • Wow

      Your least intelligent comment yet.
      • Oh no, he has

        posted far less intelligent comments here at ZDnet in the not to distant past. It will get worse as Windows sinks lower into the abyss.
      • I've seen worse from him.

        You'll get used to him, kind of like how most of C|Net got used to zerorandy (before he got banned, of course).
    • Bahahahaha.... Owl:Net is crap.

      nuf said!!
    • By the same measure, Windows is crap.

      too sleepy to resist...
  • VUPEN came in with 20 exploitable 0days and used 11......

    “VUPEN team has prepared 20 exploitable 0days for the showpionship. “@VUPEN

    VUPEN Security ‏@VUPEN  23h
    At this year's #Pwn2Own we used a total of 11 zero-days & we reported *full* exploits (including sandbox escapes) to HP+Vendors to fix them!
  • Opera?

    • Seth223: "Opera?"

      Sadly, the Opera browser is now a mere shell over Google's open source Chromium browser. What has Opera done to make it more secure?

      In addition, Opera has dropped support both both GNU/Linux and FreeBSD.
      Rabid Howler Monkey
  • So It Would Seem

    that Chromebooks are not secure after all. Just more hype!

    Maybe next year penguin.
    • still better than windows.

      1 breakin for ChromeOS vs 11 out of 20 possible for Windows.