Pwn2Own Contest Shows Critical Security Flaws Remain Abundant
The Pwn2Own hacking competition shows that security isn't a goal, but a journey, as contestants discover more than 30 vulnerabilities in major browsers and plug-ins.While developers are getting better about hardening their software, the 35 vulnerabilities revealed at the Pwn2Own tournament this week show that security remains a work in progress. The annual contest pits vulnerability researchers against the latest operating systems running four different browsers and vital plug-ins, with the winner taking home the compromised—or "pwned"—laptop and up to $100,000 in cash prizes. Eight groups of researchers attempted to hack the systems, reporting 35 vulnerabilities to the contest organizers that would be passed on to their respective software vendors for patches and repairs, Brian Gorenc, manager of vulnerability research at HP Security Research, told eWEEK. "You are seeing a market that is very lucrative and growing, and that results in more vulnerability research," he said. "We are seeing people take more of an out-of-the-box approach to exploiting software." The larger cash prizes have helped. Last year, the contest dramatically increased the prizes and awarded more than a half of million dollars. With more time to prepare, eight teams came out and signed up for 15 different attempted exploits. In total, more than $850,000 in cash prizes were awarded at the contest.
Three attacks on Mozilla Firefox required only a single vulnerability, but for the most part, the exploits required two vulnerabilities—one to break out of the application sandbox protecting the system from untrusted code and another to elevate privileges from the context of the browser to those of the system kernel. The two-stage attacks are the new normal for vulnerability exploitation, Gorenc said.