Pwn2Own: 14 browser and plugin exploits the NSA won't be buying

Pwn2Own: 14 browser and plugin exploits the NSA won't be buying

Summary: The Pwn2Own contest has secured at least 14 flaws for vendors to fix.


Over the past two days at the Pwn2Own contest, hackers have taken home $850,000 in prize money for exploits that broke all major browsers and the plugin for Adobe Flash.

Expect patches soon for Internet Explorer, Firefox, Chrome, Safari, and Adobe Flash for flaws that could have found their way to intelligence agencies and will likely still find their way to exploit kits aimed at anyone careless enough not to install the next patch.

The biggest winner from this year's annual hacking contest by HP Tipping Point's Zero Day Initiative (ZDI) was French security firm Vupen, which took home $400,000 for five exploits. Vupen is one of a handful of companies that actively markets exploits to intelligence agencies and law enforcement for lawful intercept use.

Vupen's attack on Adobe Flash bypassed the IE sandbox to gain code execution, landing it $75,000. It achieved the same result using a heap overflow and PDF sandbox escape in Adobe Reader, which secured it a further $75,000. While the company, headed up Chaouki Bekrar, spent two months preparing for the contest, the two exploits netted it $150,000 within two hours on Wednesday.

Vupen then toppled IE with "a use-after-free causing object confusion in the broker, resulting in sandbox bypass", giving it a further $100,000 on Wednesday, which it followed up with a $100,000 exploit for a flaw affecting Blink and Webkit in Chrome and a $50,000 attack for Firefox. Both resulted in code execution.

The company also had an exploit for Oracle's Java and Apple's Safari, but withdrew them from the competition.

PlayStation modder and one-time Apple employee, George Hotz, used an flaw in Firefox to achieve "out-of-bound read/write resulting in code execution", which landed him $50,000.

Others that won cash prizes for their attacks included Liang Chen, who won $65,000 for a heap overflow along with a sandbox bypass, resulting in code execution in Safari. Chen also collaborated with Zeguang Zhao of Team509 to take a further $75,000 for a heap overflow with a sandbox bypass, resulting in code execution in Flash.

In total, the contestants won $850,000 of an available pool of $1,085,000. A $32,000 prize won by Google and a $50,000 exploit from researchers with the ZDI were donated to the Canadian Red Cross.

As ZDI points out in an accompanying infographic, security researchers have a few channels to choose from once they find a flaw. They can simply sell them to third party vendors, such as ZDI, which reports them to vendors, enter hacking contests like Pwn2Own or Google's Pwnium, report them under a company's bug bounty rules, sell them to a broker, sell them to the highest bidder, or opt for full disclosure.

More on browsers

Topics: Security, Browser, Google, Hewlett-Packard, Microsoft

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • All well and good, but....

    This does reinforce the already strong impression that finding flaws in current, widely used software is much like a video game where the point is to figure your way around obstacles to find and gather valuable objects: you know that the flaws are there if you look hard enough and that they can be very valuable. And further, while it's nice that these contests have sizeable rewards, these types of exploits can also easily pull in 2 or 3 times those amounts on the cyber blackmarket.
  • Good advertising

    "The company also had an exploit for Oracle's Java and Apple's Safari but withdrew them from the competition."

    Higher bidder?
  • Difficult to determine what is actually being reported here.

    "French security firm Vupen says "xyz"
    "French security fim Vupen further goes on to say... blah blah"

    Perhaps I missed something here
    Flawless Cowboy
  • The big boys have learned NOTHING from history

    "a use-after-free". Really? Everyone programmer knows how to create fault tolerate, run-time type checked, C/CPP code that eliminates "use-after-free" code. Just Google "a class methodology for c code" -- a solution that existed over 20 years ago (and not even unique then).
    • Given that the holes are there

      It's rather obvious that not every programmer knows how to create fault-tolerant, run-time type-checked, C/C++ code that eliminates "use after free" issues.

      Or it could just be that those programmers' employers are more worried about getting the product out the door than in preventing exploits.
  • What this reinforces is

    How much better open source is for fixing flaws