March 25, 2015 By Jaikumar Vijayan 3 min read

Efforts to boost browser security against emerging threats clearly continues to be a work in progress for vendors, judging from the results of the recent Pwn2Own competition at the CanSecWest 2015 Conference in Vancouver, Canada.

Security researchers competing in the contest were able to hack into all four major browsers and popular plugins such as Flash Player using remote code exploits. In total, researchers competing in the event unearthed four bugs in Internet Explorer, three in Mozilla Firefox, two in Apple Safari and one in Google Chrome. They also discovered a total of five bugs in the Windows operating system and three vulnerabilities each in Adobe Reader and Adobe Flash.

Pwn2Own is a two-day hacking competition sponsored by HP’s Zero Day Initiative program. The competition is designed to encourage responsible bug disclosure practices within the security research community.

For this year’s competition, HP awarded cash prizes totaling $557,000 to researchers who demonstrated system-level code execution exploits against the four major browsers. Contestants who broke into specific Windows-based targets were eligible for an additional $25,000, while those who managed to crack Google Chrome Beta received $10,000 in extra money.

Impressive Tally at Pwn2Own Competition

Leading the pack with the most exploits was South Korean researcher JungHoon Lee, who, as an individual competitor, earned $225,000 for his exploits against Internet Explorer, Google Chrome and Apple Safari. Lee, who uses the online handle “lokihardt,” earned the single biggest payout at this year’s Pwn2Own competition for exploiting a buffer overflow vulnerability in both stable and beta versions of Google’s Chrome browser, according to HP.

Lee exploited the vulnerability to escalate his privileges in the browser and eventually gain system-level access on the computer running the browser. He earned $75,000 for finding the Chrome bug, another $25,000 for gaining system-level access and a $10,000 bounty from Google for finding a flaw in the beta version of Chrome.

Lee also exploited the 64-bit version of Internet Explorer 11 using a time-of-check, time-of-use flaw that allowed him to evade all security mechanisms in the browser to gain read-write privileges. The medium-integrity code execution exploit earned him $65,000. He also netted another $50,000 for using a use-after-free vulnerability to punch a hole through Apple Safari’s protection mechanisms and run a remote code exploit on the system.

Mozilla Flaws

Over the course of the two-day Pwn2Own competition, security researchers found a total of three bugs in Mozilla’s Firefox browser. One of the flaws, discovered by security researcher Mariusz Mlynski, was a cross-origin vulnerability that allowed the researcher to escalate privileges within the browser and gain system-level access in Windows in just 0.542 seconds, HP noted. The exploit earned Mlynski a total of $55,000 in rewards.

A security researcher using the online handle “ilxu1a” demonstrated another exploit in Firefox involving an out-of-bounds read-write vulnerability in the browser. The medium-integrity code execution flaw, like the one discovered by Lee, allowed for sub-second code exploitation on the browser.

Internet Explorer Exploits

The Internet Explorer exploits demonstrated at the contest, meanwhile, included one by 360Vulnac Team, which showed how an uninitialized memory vulnerability in the 64-bit Internet Explorer 11 could be used to remotely execute malicious code in the browser. The exploit earned the team a total of $32,500.

The browser flaws unearthed at the competition are another reminder of the need for users to ensure browsers and other software are always updated and properly patched. Recent research by security vendor Malwarebytes shows that browser vulnerabilities pose one of the biggest security headaches for IT decision-makers. More than 7 in 10 of the 685 IT decision-makers surveyed said the growing number of exploitable browser vulnerabilities being discovered pose one of the biggest threats to enterprise security.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today