Pwn2Own: 14 browser and plugin exploits the NSA won't be buying

The Pwn2Own contest has secured at least 14 flaws for vendors to fix.
Written by Liam Tung, Contributing Writer

Over the past two days at the Pwn2Own contest, hackers have taken home $850,000 in prize money for exploits that broke all major browsers and the plugin for Adobe Flash.

Expect patches soon for Internet Explorer, Firefox, Chrome, Safari, and Adobe Flash for flaws that could have found their way to intelligence agencies and will likely still find their way to exploit kits aimed at anyone careless enough not to install the next patch.

The biggest winner from this year's annual hacking contest by HP Tipping Point's Zero Day Initiative (ZDI) was French security firm Vupen, which took home $400,000 for five exploits. Vupen is one of a handful of companies that actively markets exploits to intelligence agencies and law enforcement for lawful intercept use.

Vupen's attack on Adobe Flash bypassed the IE sandbox to gain code execution, landing it $75,000. It achieved the same result using a heap overflow and PDF sandbox escape in Adobe Reader, which secured it a further $75,000. While the company, headed up Chaouki Bekrar, spent two months preparing for the contest, the two exploits netted it $150,000 within two hours on Wednesday.

Vupen then toppled IE with "a use-after-free causing object confusion in the broker, resulting in sandbox bypass", giving it a further $100,000 on Wednesday, which it followed up with a $100,000 exploit for a flaw affecting Blink and Webkit in Chrome and a $50,000 attack for Firefox. Both resulted in code execution.

The company also had an exploit for Oracle's Java and Apple's Safari, but withdrew them from the competition.

PlayStation modder and one-time Apple employee, George Hotz, used an flaw in Firefox to achieve "out-of-bound read/write resulting in code execution", which landed him $50,000.

Others that won cash prizes for their attacks included Liang Chen, who won $65,000 for a heap overflow along with a sandbox bypass, resulting in code execution in Safari. Chen also collaborated with Zeguang Zhao of Team509 to take a further $75,000 for a heap overflow with a sandbox bypass, resulting in code execution in Flash.

In total, the contestants won $850,000 of an available pool of $1,085,000. A $32,000 prize won by Google and a $50,000 exploit from researchers with the ZDI were donated to the Canadian Red Cross.

As ZDI points out in an accompanying infographic, security researchers have a few channels to choose from once they find a flaw. They can simply sell them to third party vendors, such as ZDI, which reports them to vendors, enter hacking contests like Pwn2Own or Google's Pwnium, report them under a company's bug bounty rules, sell them to a broker, sell them to the highest bidder, or opt for full disclosure.

More on browsers

Editorial standards