Efforts to boost browser security against emerging threats clearly continues to be a work in progress for vendors, judging from the results of the recent Pwn2Own competition at the CanSecWest 2015 Conference in Vancouver, Canada.

Security researchers competing in the contest were able to hack into all four major browsers and popular plugins such as Flash Player using remote code exploits. In total, researchers competing in the event unearthed four bugs in Internet Explorer, three in Mozilla Firefox, two in Apple Safari and one in Google Chrome. They also discovered a total of five bugs in the Windows operating system and three vulnerabilities each in Adobe Reader and Adobe Flash.

Pwn2Own is a two-day hacking competition sponsored by HP’s Zero Day Initiative program. The competition is designed to encourage responsible bug disclosure practices within the security research community.

For this year’s competition, HP awarded cash prizes totaling $557,000 to researchers who demonstrated system-level code execution exploits against the four major browsers. Contestants who broke into specific Windows-based targets were eligible for an additional $25,000, while those who managed to crack Google Chrome Beta received $10,000 in extra money.

Impressive Tally at Pwn2Own Competition

Leading the pack with the most exploits was South Korean researcher JungHoon Lee, who, as an individual competitor, earned $225,000 for his exploits against Internet Explorer, Google Chrome and Apple Safari. Lee, who uses the online handle “lokihardt,” earned the single biggest payout at this year’s Pwn2Own competition for exploiting a buffer overflow vulnerability in both stable and beta versions of Google’s Chrome browser, according to HP.

Lee exploited the vulnerability to escalate his privileges in the browser and eventually gain system-level access on the computer running the browser. He earned $75,000 for finding the Chrome bug, another $25,000 for gaining system-level access and a $10,000 bounty from Google for finding a flaw in the beta version of Chrome.

Lee also exploited the 64-bit version of Internet Explorer 11 using a time-of-check, time-of-use flaw that allowed him to evade all security mechanisms in the browser to gain read-write privileges. The medium-integrity code execution exploit earned him $65,000. He also netted another $50,000 for using a use-after-free vulnerability to punch a hole through Apple Safari’s protection mechanisms and run a remote code exploit on the system.

Mozilla Flaws

Over the course of the two-day Pwn2Own competition, security researchers found a total of three bugs in Mozilla’s Firefox browser. One of the flaws, discovered by security researcher Mariusz Mlynski, was a cross-origin vulnerability that allowed the researcher to escalate privileges within the browser and gain system-level access in Windows in just 0.542 seconds, HP noted. The exploit earned Mlynski a total of $55,000 in rewards.

A security researcher using the online handle “ilxu1a” demonstrated another exploit in Firefox involving an out-of-bounds read-write vulnerability in the browser. The medium-integrity code execution flaw, like the one discovered by Lee, allowed for sub-second code exploitation on the browser.

Internet Explorer Exploits

The Internet Explorer exploits demonstrated at the contest, meanwhile, included one by 360Vulnac Team, which showed how an uninitialized memory vulnerability in the 64-bit Internet Explorer 11 could be used to remotely execute malicious code in the browser. The exploit earned the team a total of $32,500.

The browser flaws unearthed at the competition are another reminder of the need for users to ensure browsers and other software are always updated and properly patched. Recent research by security vendor Malwarebytes shows that browser vulnerabilities pose one of the biggest security headaches for IT decision-makers. More than 7 in 10 of the 685 IT decision-makers surveyed said the growing number of exploitable browser vulnerabilities being discovered pose one of the biggest threats to enterprise security.

More from

The importance of Infrastructure as Code (IaC) when Securing cloud environments

4 min read - According to the 2023 Thales Data Threat Report, 55% of organizations experiencing a data breach have reported “human error” as the primary cause. This is further compounded by organizations now facing attacks from increasingly sophisticated cyber criminals with a wide range of automated tools. As organizations move more of their operations to the cloud, they must also become increasingly aware of the security risks and threats that come with it. It’s not enough anymore to simply have a set of…

Data never dies: The immortal battle of data privacy

4 min read - More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile. Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere. When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights…

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution? Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task. In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each…

How I got started: SIEM engineer

3 min read - As careers in cybersecurity become increasingly more specialized, Security Information and Event Management (SIEM) engineers are playing a more prominent role. These professionals are like forensic specialists but are also on the front lines protecting sensitive information from the relentless onslaught of cyber threats. SIEM engineers meticulously monitor, analyze and manage security events and incidents within an organization. They leverage SIEM tools to aggregate and correlate data, enabling them to detect anomalies, identify potential threats and respond swiftly to security…