Java, Adobe Plug-Ins, Browsers All Fail to Survive Pwn2Own Contest

Researchers demonstrated four zero-day attacks against Java and successfully compromised Adobe's plug-ins, Microsoft's IE10, Mozilla's Firefox and Google's Chrome.

Security researchers claimed nearly $500,000 in bounties for demonstrating previously unknown—or zero-day—attacks against all major browsers and three popular browser plug-ins at the annual Pwn2Own competition at the CanSecWest conference in Vancouver, B.C.

The three-day contest, which ends March 8, requires that security professionals play the role of attackers and compromise fully patched versions of popular browsers running on Windows 8 and Mac OS X. After a successful attack, which requires that the researcher gain control over the target system, the contestants must turn over the details of the vulnerability to Hewlett-Packard's Zero Day Initiative (ZDI), which runs the competition. Those details are then passed to vendors to be patched.

"All of these individuals who come in and participate in the competition, they are bringing zero days that were not known at the time of the competition," said Brian Gorenc, manager of vulnerability research for HP's Security Research Labs. "So it is bleeding-edge research, especially when it comes to bypassing the sandboxes and the various plug-ins and browsers, which is why we offer the money we do."

The company will pay two teams of researchers—offensive security firm VUPEN and a pair of researchers—$100,000 each for finding and exploiting critical flaws in Microsoft's Internet Explorer 10 and Google's latest version of the Chrome browser. In addition, the flaws found in Adobe's Flash and Reader plug-ins will net VUPEN and researcher George Hotz each $70,000. Finally, the successful compromise using Mozilla's Firefox will earn VUPEN another $60,000 and four separate exploits of Java will net the researchers who found them $20,000 each.

HP coordinated with each affected software developer to get the information on the flaws to the appropriate security team.

Oracle's Java SE was the hardest hit in the competition, with researchers revealing four vulnerabilities from three different classes of security issues. The last month has been hard for Oracle, as the company has had to release three emergency patches for its Java plug-in, including one patch right before the Pwn2Own competition.

"You are seeing more and more Java being utilized to launch attacks against companies, governments and consumers," HP's Gorenc said. Going into the competition, "we were not quite sure what we were going to see, but it was nice to see three different types of bugs come into the program."

Bounties paid out by the competition have steadily increased since the initial contest, and the format has changed as well. For the last two years, ZDI had implemented a point system for each compromise.

A decade ago, vulnerability researchers generally fell into two camps: those who cooperated with software vendors to get vulnerabilities fixed, and those who published the information without warning—so-called full disclosure—in an attempt to shame the vendor. Increasingly, however, researchers are seeking to get paid for their endeavors. Programs like HP's Zero Day Initiative pay a modest amount for vulnerability research. Private buyers—most often governments—pay much better rates.

Yet the Pwn2Own competition's recent prizes have started to get close to the six-figure payouts typically only paid by government buyers.