Efforts to boost browser security against emerging threats clearly continues to be a work in progress for vendors, judging from the results of the recent Pwn2Own competition at the CanSecWest 2015 Conference in Vancouver, Canada.

Security researchers competing in the contest were able to hack into all four major browsers and popular plugins such as Flash Player using remote code exploits. In total, researchers competing in the event unearthed four bugs in Internet Explorer, three in Mozilla Firefox, two in Apple Safari and one in Google Chrome. They also discovered a total of five bugs in the Windows operating system and three vulnerabilities each in Adobe Reader and Adobe Flash.

Pwn2Own is a two-day hacking competition sponsored by HP’s Zero Day Initiative program. The competition is designed to encourage responsible bug disclosure practices within the security research community.

For this year’s competition, HP awarded cash prizes totaling $557,000 to researchers who demonstrated system-level code execution exploits against the four major browsers. Contestants who broke into specific Windows-based targets were eligible for an additional $25,000, while those who managed to crack Google Chrome Beta received $10,000 in extra money.

Impressive Tally at Pwn2Own Competition

Leading the pack with the most exploits was South Korean researcher JungHoon Lee, who, as an individual competitor, earned $225,000 for his exploits against Internet Explorer, Google Chrome and Apple Safari. Lee, who uses the online handle “lokihardt,” earned the single biggest payout at this year’s Pwn2Own competition for exploiting a buffer overflow vulnerability in both stable and beta versions of Google’s Chrome browser, according to HP.

Lee exploited the vulnerability to escalate his privileges in the browser and eventually gain system-level access on the computer running the browser. He earned $75,000 for finding the Chrome bug, another $25,000 for gaining system-level access and a $10,000 bounty from Google for finding a flaw in the beta version of Chrome.

Lee also exploited the 64-bit version of Internet Explorer 11 using a time-of-check, time-of-use flaw that allowed him to evade all security mechanisms in the browser to gain read-write privileges. The medium-integrity code execution exploit earned him $65,000. He also netted another $50,000 for using a use-after-free vulnerability to punch a hole through Apple Safari’s protection mechanisms and run a remote code exploit on the system.

Mozilla Flaws

Over the course of the two-day Pwn2Own competition, security researchers found a total of three bugs in Mozilla’s Firefox browser. One of the flaws, discovered by security researcher Mariusz Mlynski, was a cross-origin vulnerability that allowed the researcher to escalate privileges within the browser and gain system-level access in Windows in just 0.542 seconds, HP noted. The exploit earned Mlynski a total of $55,000 in rewards.

A security researcher using the online handle “ilxu1a” demonstrated another exploit in Firefox involving an out-of-bounds read-write vulnerability in the browser. The medium-integrity code execution flaw, like the one discovered by Lee, allowed for sub-second code exploitation on the browser.

Internet Explorer Exploits

The Internet Explorer exploits demonstrated at the contest, meanwhile, included one by 360Vulnac Team, which showed how an uninitialized memory vulnerability in the 64-bit Internet Explorer 11 could be used to remotely execute malicious code in the browser. The exploit earned the team a total of $32,500.

The browser flaws unearthed at the competition are another reminder of the need for users to ensure browsers and other software are always updated and properly patched. Recent research by security vendor Malwarebytes shows that browser vulnerabilities pose one of the biggest security headaches for IT decision-makers. More than 7 in 10 of the 685 IT decision-makers surveyed said the growing number of exploitable browser vulnerabilities being discovered pose one of the biggest threats to enterprise security.

More from

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

What CISOs Should Know About CIRCIA Incident Reporting

In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA). These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must…

Will the 2.5M Records Breach Impact Student Loan Relief?

Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…