Every commonly used browser is vulnerable to hackers; that was the end result of the Pwn2Own hacking contest on Thursday.
Seven different hackers and hacker teams managed to break into Firefox, Internet Explorer, Chrome and Safari, and just for fun, they infiltrated Adobe's Flash. The hackers did nothing nefarious nor would their actions be noticed outside the walls of the contest, but the ease at with they accomplished their goals is a bit scary. All were beaten within five minutes.
However, this was the entire point. The contest is part of Hewlett-Packard's Zero Day Initiative. This is a program founded by TippingPoint designed to reward Internet security researchers for responsibly disclosing various vulnerabilities.
At the end of the contest all of the hacks were disclosed to the respective companies in the conference's Chamber of Disclosures. Each company said it would now work to fix the break in point.
The winners took home a total of $450,000 for their nefarious efforts
Here are the winners:
An anonymous participant used a sandbox bypass to break into Google Chrome resulting in a code execution. Sandbox is an anti-exploit software employed by manufacturers to defeat hacks. Contestant Sebastian Apelt and Andreas Schmidt beat Microsoft's Internet Explorer implemented two use-after-free and a kernel bug. The duo was then able to turn on the system's calculator to prove victory.
Apple Safari was defeated by Liang Chen of Keen Team. He used an out-of-bound read/write that also resulted in a code execution. George Hotz used the same method to beat Firefox.
Team VUPEN used a sandbox bypass and another technique to get into Chrome and By Zeguang Zhou of team509 and Liang Chen, teamed up against Adobe Flash using a heap overflow and sandbox bypass to defeat the software.
There was also some time for fun and to raise money for charity.
A non-official challenge pitted security researchers from Google against a similar team from Hewlett-Packard's DVLabs Zero Day Initiative (ZDI). In what must have been a sweet victory, the Google team hacked its way into Safari. The ZDI hackers cracked Internet Explorer 11. A total of $82,500 was raised for the Canadian Red Cross.
