All major browsers and Java fall at Pwn2Own
Source: MWR Labs on Twitter
On the first day of this year's Pwn2Own contest in Vancouver, which is taking place from 6 to 8 March, current versions of all major browsers were brought down by exploits. Chrome, Firefox and Internet Explorer 10 on Windows 8 were all successfully attacked. Predictably, vulnerabilities in Java were also exploited. More than half a million dollars is available in prize money from HP's Zero Day Initiative (ZDI) for successful exploits in Chrome, IE 9 and 10, Firefox, and Safari. Exploits for Adobe's Reader XI, Flash, and Java can also be entered. ZDI has announced that it will purchase all exploits from contestants pre-registered for the contest.
According to SC Magazine, Firefox fell to a use-after-free zero day exploit that bypassed the browser's Address Space Layout Randomisation (ASLR) and the Data Execution Prevention (DEP) protection in Windows; the vulnerability was discovered by security outfit Vupen. Vupen is well known for selling such zero day exploits to third parties without disclosing them to the affected software vendors. Researchers from the company also compromised Internet Explorer 10 on a Surface Pro tablet running Windows 8, a feat that required several weeks to find the flaw in the browser and several more weeks to create an exploit that worked reliably, according to a report on Kaspersky's threatpost.
Chrome was successfully attacked by two researchers from MWR Labs using two vulnerabilities to bypass the Chrome sandbox on Windows. An additional kernel vulnerability discovered by MWR Labs gave the researchers the ability to execute arbitrary commands with system privileges once they had escaped the sandbox. Google is offering a prize fund of $3.14159 million in the Pwnium contest for Chrome and Chrome OS that is running alongside Pwn2Own.
Vupen also managed to exploit a vulnerability in Java, as did researchers from Accuvant Labs and Contextis. Praising Adobe's effort to secure Flash and Reader, Chaouki Bekrar Vupen's CEO told threatpost: "Writing exploits in general is getting much harder. Java is really easy because there's no sandbox." He added that this was the reason attackers seem to be moving away from Flash exploits in favour of using Java holes.
Day two of Pwn2Own will see Vupen take on Flash, George Hotz take on Adobe Reader and Pharm Toan take on IE10.