Efforts to boost browser security against emerging threats clearly continues to be a work in progress for vendors, judging from the results of the recent Pwn2Own competition at the CanSecWest 2015 Conference in Vancouver, Canada.
Security researchers competing in the contest were able to hack into all four major browsers and popular plugins such as Flash Player using remote code exploits. In total, researchers competing in the event unearthed four bugs in Internet Explorer, three in Mozilla Firefox, two in Apple Safari and one in Google Chrome. They also discovered a total of five bugs in the Windows operating system and three vulnerabilities each in Adobe Reader and Adobe Flash.
Pwn2Own is a two-day hacking competition sponsored by HP’s Zero Day Initiative program. The competition is designed to encourage responsible bug disclosure practices within the security research community.
For this year’s competition, HP awarded cash prizes totaling $557,000 to researchers who demonstrated system-level code execution exploits against the four major browsers. Contestants who broke into specific Windows-based targets were eligible for an additional $25,000, while those who managed to crack Google Chrome Beta received $10,000 in extra money.
Impressive Tally at Pwn2Own Competition
Leading the pack with the most exploits was South Korean researcher JungHoon Lee, who, as an individual competitor, earned $225,000 for his exploits against Internet Explorer, Google Chrome and Apple Safari. Lee, who uses the online handle “lokihardt,” earned the single biggest payout at this year’s Pwn2Own competition for exploiting a buffer overflow vulnerability in both stable and beta versions of Google’s Chrome browser, according to HP.
Lee exploited the vulnerability to escalate his privileges in the browser and eventually gain system-level access on the computer running the browser. He earned $75,000 for finding the Chrome bug, another $25,000 for gaining system-level access and a $10,000 bounty from Google for finding a flaw in the beta version of Chrome.
Lee also exploited the 64-bit version of Internet Explorer 11 using a time-of-check, time-of-use flaw that allowed him to evade all security mechanisms in the browser to gain read-write privileges. The medium-integrity code execution exploit earned him $65,000. He also netted another $50,000 for using a use-after-free vulnerability to punch a hole through Apple Safari’s protection mechanisms and run a remote code exploit on the system.
Over the course of the two-day Pwn2Own competition, security researchers found a total of three bugs in Mozilla’s Firefox browser. One of the flaws, discovered by security researcher Mariusz Mlynski, was a cross-origin vulnerability that allowed the researcher to escalate privileges within the browser and gain system-level access in Windows in just 0.542 seconds, HP noted. The exploit earned Mlynski a total of $55,000 in rewards.
A security researcher using the online handle “ilxu1a” demonstrated another exploit in Firefox involving an out-of-bounds read-write vulnerability in the browser. The medium-integrity code execution flaw, like the one discovered by Lee, allowed for sub-second code exploitation on the browser.
Internet Explorer Exploits
The Internet Explorer exploits demonstrated at the contest, meanwhile, included one by 360Vulnac Team, which showed how an uninitialized memory vulnerability in the 64-bit Internet Explorer 11 could be used to remotely execute malicious code in the browser. The exploit earned the team a total of $32,500.
The browser flaws unearthed at the competition are another reminder of the need for users to ensure browsers and other software are always updated and properly patched. Recent research by security vendor Malwarebytes shows that browser vulnerabilities pose one of the biggest security headaches for IT decision-makers. More than 7 in 10 of the 685 IT decision-makers surveyed said the growing number of exploitable browser vulnerabilities being discovered pose one of the biggest threats to enterprise security.