While developers are getting better about hardening their software, the 35 vulnerabilities revealed at the Pwn2Own tournament this week show that security remains a work in progress.
The annual contest pits vulnerability researchers against the latest operating systems running four different browsers and vital plug-ins, with the winner taking home the compromised—or “pwned”—laptop and up to $100,000 in cash prizes. Eight groups of researchers attempted to hack the systems, reporting 35 vulnerabilities to the contest organizers that would be passed on to their respective software vendors for patches and repairs, Brian Gorenc, manager of vulnerability research at HP Security Research, told eWEEK.
“You are seeing a market that is very lucrative and growing, and that results in more vulnerability research,” he said. “We are seeing people take more of an out-of-the-box approach to exploiting software.”
The larger cash prizes have helped. Last year, the contest dramatically increased the prizes and awarded more than a half of million dollars. With more time to prepare, eight teams came out and signed up for 15 different attempted exploits. In total, more than $850,000 in cash prizes were awarded at the contest.
Three attacks on Mozilla Firefox required only a single vulnerability, but for the most part, the exploits required two vulnerabilities—one to break out of the application sandbox protecting the system from untrusted code and another to elevate privileges from the context of the browser to those of the system kernel. The two-stage attacks are the new normal for vulnerability exploitation, Gorenc said.
“Back several years ago, it would be one vulnerability and you are done,” he said. “We have made exploitation harder. We are making the cost more difficult.”
One attack, used by contestants Sebastian Apelt and Andreas Schmidt, exploited three different vulnerabilities to compromise Internet Explorer.
Offensive security firm VUPEN collected $400,000 over the two days for exploiting Adobe’s Reader and Flash, Microsoft’s Internet Explorer, Mozilla’s Firefox and a Webkit vulnerability that affects Google Chrome.
While Internet Explorer 11 managed to fend off one attempt to exploit the software, two other teams—including VUPEN—managed to break through the browser’s security.
The large influx of vulnerabilities shows that critical security issues are still possible to find and chain together to exploit systems and penetrate servers. The efforts of software vendors to harden their code and make exploitation more difficult have been fruitful, but have not eliminated the problem. Yet, there is a silver lining: The 35 vulnerabilities will be fixed by the software vendors and, if root-cause analysis is done, software developers can improve their programming practices.
The contest will only continue to get bigger and next year more security teams will likely try their hand, Gorenc said.
“We expect to get researchers that we haven’t reached before,” he said. “We hope they will continually push the envelope, and show off their excellent work.”