CanSecWest’s annual Pwn2Own hacking competition took place March 7 – 9 this year. It went by relatively quiet this time around. Nevertheless, some interesting developments occurred.
Google pulled itself out as a sponsor of the event, citing rule changes; full disclosure was not required by the exploiters. Instead Google hosted their own “pwn” competition named Pwnium. Chrome was hacked three times. First by the security firm VUPEN, who didn’t reveal their exploit and decided instead to keep it for their customers. VUPEN used two zero-day flaws to complete their exploit. Second by Sergey Glazunov, a Russian university student with two zero-day vulnerabilities. Glazunov’s exploit didn’t break out of the sandbox, though; it avoided it altogether. The third exploit was completed by a teenager who goes by the handle of “Pinkie Pie”; he used three zero-day vulnerabilities to accomplish his exploit and break out of the sandbox.
For the exploits that were revealed, Google released a patch within 24 hours.
Internet Explorer 9 was hacked by VUPEN using two zero-day vulnerabilities. The vulnerabilities exist in all versions of Internet Explorer from 6 all the way to the newest platform preview for IE 10 on the Windows 8 Consumer Preview. VUPEN is only revealing one of the vulnerabilities and keeping the other private for their customers.
Firefox was hacked by the team of Willem Pinckaers and Vincenzo Iozzo, who demonstrated a zero-day flaw. A patch has not been issued yet.
Unlike previous years, no one attempted zero-day exploits on Apple’s Safari browser. Some are attributing the low turnout this year to the change of rules of the event.