March 25, 2015 By Jaikumar Vijayan 3 min read

Efforts to boost browser security against emerging threats clearly continues to be a work in progress for vendors, judging from the results of the recent Pwn2Own competition at the CanSecWest 2015 Conference in Vancouver, Canada.

Security researchers competing in the contest were able to hack into all four major browsers and popular plugins such as Flash Player using remote code exploits. In total, researchers competing in the event unearthed four bugs in Internet Explorer, three in Mozilla Firefox, two in Apple Safari and one in Google Chrome. They also discovered a total of five bugs in the Windows operating system and three vulnerabilities each in Adobe Reader and Adobe Flash.

Pwn2Own is a two-day hacking competition sponsored by HP’s Zero Day Initiative program. The competition is designed to encourage responsible bug disclosure practices within the security research community.

For this year’s competition, HP awarded cash prizes totaling $557,000 to researchers who demonstrated system-level code execution exploits against the four major browsers. Contestants who broke into specific Windows-based targets were eligible for an additional $25,000, while those who managed to crack Google Chrome Beta received $10,000 in extra money.

Impressive Tally at Pwn2Own Competition

Leading the pack with the most exploits was South Korean researcher JungHoon Lee, who, as an individual competitor, earned $225,000 for his exploits against Internet Explorer, Google Chrome and Apple Safari. Lee, who uses the online handle “lokihardt,” earned the single biggest payout at this year’s Pwn2Own competition for exploiting a buffer overflow vulnerability in both stable and beta versions of Google’s Chrome browser, according to HP.

Lee exploited the vulnerability to escalate his privileges in the browser and eventually gain system-level access on the computer running the browser. He earned $75,000 for finding the Chrome bug, another $25,000 for gaining system-level access and a $10,000 bounty from Google for finding a flaw in the beta version of Chrome.

Lee also exploited the 64-bit version of Internet Explorer 11 using a time-of-check, time-of-use flaw that allowed him to evade all security mechanisms in the browser to gain read-write privileges. The medium-integrity code execution exploit earned him $65,000. He also netted another $50,000 for using a use-after-free vulnerability to punch a hole through Apple Safari’s protection mechanisms and run a remote code exploit on the system.

Mozilla Flaws

Over the course of the two-day Pwn2Own competition, security researchers found a total of three bugs in Mozilla’s Firefox browser. One of the flaws, discovered by security researcher Mariusz Mlynski, was a cross-origin vulnerability that allowed the researcher to escalate privileges within the browser and gain system-level access in Windows in just 0.542 seconds, HP noted. The exploit earned Mlynski a total of $55,000 in rewards.

A security researcher using the online handle “ilxu1a” demonstrated another exploit in Firefox involving an out-of-bounds read-write vulnerability in the browser. The medium-integrity code execution flaw, like the one discovered by Lee, allowed for sub-second code exploitation on the browser.

Internet Explorer Exploits

The Internet Explorer exploits demonstrated at the contest, meanwhile, included one by 360Vulnac Team, which showed how an uninitialized memory vulnerability in the 64-bit Internet Explorer 11 could be used to remotely execute malicious code in the browser. The exploit earned the team a total of $32,500.

The browser flaws unearthed at the competition are another reminder of the need for users to ensure browsers and other software are always updated and properly patched. Recent research by security vendor Malwarebytes shows that browser vulnerabilities pose one of the biggest security headaches for IT decision-makers. More than 7 in 10 of the 685 IT decision-makers surveyed said the growing number of exploitable browser vulnerabilities being discovered pose one of the biggest threats to enterprise security.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today