Pwn2Own ends with all attackers winning

The Pwn2Own competition at CanSecWest has come to an end with the second day being like the first day. No web browser plugin survived being attacked and Adobe Flash, Adobe Reader XI and Java were all successfully hacked. Vupen security, who had demonstrated exploits of Internet Explorer 10, Firefox and Java on day one, returned with an exploit for Adobe Flash. George Hotz took down Adobe Reader and the day ended with Ben Murphy's exploit of Java, making it the fourth Java "pwning" of the contest.

In response to day one's exploits, both Mozilla and Google have shipped updates to their browsers. Mozilla's Firefox has been updated to version 19.0.2 with a fix for the vulnerability; the same fix, for a use-after-free in the HTML editor which could lead to arbitrary code execution, has also been applied to Firefox ESR 17.0.4, Thunderbird (ESR) 17.0.4 and SeaMonkey 2.16.1. Google has updated the stable channel for Chrome on Windows, Mac OS X and Linux for the type confusion flaw that was exploited by Nils and Jon of MWR Labs at Pwn2Own. Both the Firefox and Chrome updates are automatically downloaded by browsers and installed on browser restarts.

By the end of Pwn2Own, at least $420,000 of the over half a million dollar prize fund will have been presented as prizes. Today, the attention moves on to Google's Pwnium competition, with a $3.14159 million prize fund and up to $150,000 prizes for exploits that survive reboots.

Update - In all, $480,000 of the prize fund was handed out in prizes after a rule change by HP allowed all successful exploits to receive the category prize money even when there were multiple winners in that category (in this case Java).

(djwm)