Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity

    Pwn2Own 2014 Claims IE, Chrome, Safari and More Firefox Zero-Days

    Written by

    Sean Michael Kerner
    Published March 14, 2014
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      On March 13, the second day of the Hewlett-Packard Zero Day Initiative (ZDI) Pwn2Own event, security researchers continued to expose zero-day flaws in Google Chrome, Apple Safari, Microsoft Internet Explorer, Mozilla Firefox and Adobe Flash.

      HP awarded $450,000 in prize money on the second day of Pwn2Own, adding to the $400,000 that the company awarded on the first day of the event.

      Microsoft’s IE browser was successfully exploited once on March 12 by security research firm VUPEN and then again on March 13 by security researchers Sebastian Apelt and Andreas Schmidt. Apelt and Schmidt leveraged a pair of use-after-free memory flaws to exploit IE.

      Adobe Flash was exploited on both the first and second days of the Pwn2Own event as well. VUPEN exploited Adobe Flash on March 12, as did researchers from Keen Team on March 13.

      Keen Team also exploited Safari, the only security group to do so. The group was able to execute a memory heap overflow, along with a sandbox bypass, to exploit Apple’s Web browser.

      Google’s Chrome Web browser was successfully exploited by VUPEN on March 13 with a use-after-free memory flaw that enabled a sandbox bypass.

      Firefox

      While the IE, Chrome and Safari Web browsers were all attacked and exploited at Pwn2Own, the most exploited browser at the event in terms of the total number of new zero-day exploited that were publicly demonstrated was Mozilla Firefox.

      On the first day of the event, Firefox was exploited three different times. On the second day, it was exploited once more, bringing the total tally to four.

      Mozilla has a history of rapidly patching zero-day issues with Firefox exposed at Pwn2Own events. So how fast will Mozilla patch the four zero-day flaws first presented at Pwn2Own 2014?

      Sid Stamm, senior engineering manager of security and privacy at Mozilla, told eWEEK that the company believes the risk of users being compromised from the four bugs is low over the next couple of days because the exploits are not publicly known. HP has a responsible disclosure policy in which bugs discovered at Pwn2Own are immediately provided to vendors and full details are not publicly released. Although Mozilla doesn’t need to rush, Firefox users will not have to wait long for an update.

      “We are working quickly to address each of these bugs and expect to deliver fixes next week,” Stamm said.

      Mozilla has had its own browser security bug bounty program since 2004, in an effort to attract security research reports and keep Firefox users safe. The best software works, Stamm said, because its creators test how to break it. Mozilla’s own security team works tirelessly on finding and fixing bugs, he added.

      In terms of why Firefox was the most exploited browser at the 2014 Pw2Own event, money likely plays a key role.

      “Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers’ decision to wait until now to share their work and help protect Firefox users,” Stamm said. “Mozilla also offers financial rewards in our bug bounty program, and this program’s success has inspired other companies to follow suit.”

      HP awarded researchers $50,000 for each Firefox flaw that was disclosed at Pwn2own 2014. When Mozilla started its bug bounty program in 2004, it awarded researchers $500 for each critical security bug.

      “In July of 2010, we increased the bounty payout to $3,000 because we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,” Stamm said. “Since then, we have seen an increase in the total amount paid per year as well as interest from security researchers to get involved with the project.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×