On March 19, the second day of the Hewlett-Packard Zero Day Initiative (ZDI) sponsored Pwn2Own hacking challenge at the CanSecWest conference in Vancouver, B.C., security researchers were able to successfully exploit Mozilla Firefox, Microsoft Internet Explorer, Google Chrome and Apple Safari.
HP awarded the researchers a total of $240,000 in prize money on the second day, bringing the two-day award total to $557,500.
On the first day of the Pwn2Own event, HP awarded $317,500 for exploits against Adobe Flash, Adobe Reader, Microsoft IE 11 and Firefox. The second day saw no new Adobe exploits, as researchers turned their attention back to the browsers, with new exploits reported against Firefox, IE, Chrome and Safari.
A security researcher identified by HP only as ilxu1a delivered the first exploit of the day with an out-of-bounds memory vulnerability in Firefox that took less than one second to execute. For his efforts, ilxu1a was awarded $15,000.
All told, Mozilla Firefox was exploited twice at the Pwn2own 2015 event, with exploits demonstrated on both days of the event, for a total payout of $70,000. Mozilla is no stranger to Pwn2Own and is often the first vendor to patch issues that are first disclosed at a Pwn2own event.
“We are on-site and have gotten the bug details from HP,” Daniel Veditz, principal security engineer at Mozilla, told eWEEK. “The details have been filed, and Mozilla engineers back home are working on patches.”
Veditz said that while the flaws were first demonstrated on March 18 and 19, Mozilla’s plan is to release updates for Firefox Desktop, Firefox for Android and Firefox ESR (Extended Support Release) on Friday, March 20.
Both the exploits against Firefox at Pwn2Own 2015 were executed in less than one second, but that doesn’t necessarily indicate that the exploits were easy to develop. Veditz said that the exploits were certainly not created in a second.
“Contestants showed up to claim all the prizes offered at Pwn2Own, and given the expense of travel to the conference, it is not surprising they have working exploits before coming,” Veditz said. “Computers are very fast, and it is not surprising that a well-crafted exploit written in advance would not take much execution time.”
The second day of Pwn2Own also saw security researcher JungHoon Lee, also known as lokihardt, demonstrate three different browser exploits against IE 11, Chrome and Apple Safari.
Lee’s successful exploit of Microsoft’s IE 11 earned him a $65,000 award, while the Apple Safari exploit yielded a $50,000 award. Lee was also able to successfully exploit Google Chrome for $75,000 as well as earning a bonus of $25,000 for demonstrating a privilege-escalation bug. HP also awarded a bonus of $10,000 to Lee for demonstrating his Chrome exploit on a beta version of Chrome.
Overall, Brian Gorenc, manager of vulnerability research for HP Security Research, said that one of the surprises at the Pwn2Own 2015 event was the amount of Windows kernel vulnerabilities that showed up, though he noted that HP, in a way, expected it.
“We put a premium on system-level privilege escalations,” Gorenc said. “We believe they are the most interesting, and potentially dangerous, bugs that come through Pwn2Own.”
At the 2015 event, every browser was exploited, even though all the browsers had been patched by their respective vendors. Although all the browsers were exploited, Gorenc noted that it’s important to remember that the people who come out to compete at Pwn2Own are some of the best security researchers in the world.
“Every year, we run the competition, the browsers get stronger, but attackers react to changes in defenses by taking different, and sometimes unexpected, approaches,” Gorenc said. “One of our goals with the contest is to get this information to the vendors so they can make their browsers more secure and even harder to hack the next year.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.