On March 13, the second day of the Hewlett-Packard Zero Day Initiative (ZDI) Pwn2Own event, security researchers continued to expose zero-day flaws in Google Chrome, Apple Safari, Microsoft Internet Explorer, Mozilla Firefox and Adobe Flash.
HP awarded $450,000 in prize money on the second day of Pwn2Own, adding to the $400,000 that the company awarded on the first day of the event.
Microsoft’s IE browser was successfully exploited once on March 12 by security research firm VUPEN and then again on March 13 by security researchers Sebastian Apelt and Andreas Schmidt. Apelt and Schmidt leveraged a pair of use-after-free memory flaws to exploit IE.
Adobe Flash was exploited on both the first and second days of the Pwn2Own event as well. VUPEN exploited Adobe Flash on March 12, as did researchers from Keen Team on March 13.
Keen Team also exploited Safari, the only security group to do so. The group was able to execute a memory heap overflow, along with a sandbox bypass, to exploit Apple’s Web browser.
Google’s Chrome Web browser was successfully exploited by VUPEN on March 13 with a use-after-free memory flaw that enabled a sandbox bypass.
While the IE, Chrome and Safari Web browsers were all attacked and exploited at Pwn2Own, the most exploited browser at the event in terms of the total number of new zero-day exploited that were publicly demonstrated was Mozilla Firefox.
On the first day of the event, Firefox was exploited three different times. On the second day, it was exploited once more, bringing the total tally to four.
Mozilla has a history of rapidly patching zero-day issues with Firefox exposed at Pwn2Own events. So how fast will Mozilla patch the four zero-day flaws first presented at Pwn2Own 2014?
Sid Stamm, senior engineering manager of security and privacy at Mozilla, told eWEEK that the company believes the risk of users being compromised from the four bugs is low over the next couple of days because the exploits are not publicly known. HP has a responsible disclosure policy in which bugs discovered at Pwn2Own are immediately provided to vendors and full details are not publicly released. Although Mozilla doesn’t need to rush, Firefox users will not have to wait long for an update.
“We are working quickly to address each of these bugs and expect to deliver fixes next week,” Stamm said.
Mozilla has had its own browser security bug bounty program since 2004, in an effort to attract security research reports and keep Firefox users safe. The best software works, Stamm said, because its creators test how to break it. Mozilla’s own security team works tirelessly on finding and fixing bugs, he added.
In terms of why Firefox was the most exploited browser at the 2014 Pw2Own event, money likely plays a key role.
“Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers’ decision to wait until now to share their work and help protect Firefox users,” Stamm said. “Mozilla also offers financial rewards in our bug bounty program, and this program’s success has inspired other companies to follow suit.”
HP awarded researchers $50,000 for each Firefox flaw that was disclosed at Pwn2own 2014. When Mozilla started its bug bounty program in 2004, it awarded researchers $500 for each critical security bug.
“In July of 2010, we increased the bounty payout to $3,000 because we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,” Stamm said. “Since then, we have seen an increase in the total amount paid per year as well as interest from security researchers to get involved with the project.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.