Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Pwn2own Day 1 Exploits: Google Chrome, Adobe Flash, Apple Safari

    By
    Sean Michael Kerner
    -
    March 17, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Pwn2own browser hacking contest

      The annual Pwn2own browser-hacking competition at the CanSecWest conference in Vancouver, Canada, started March 16 with $282,500 awarded in first-day prizes.

      Hewlett Packard Enterprise and Trend Micro are jointly sponsoring this year’s Pwn2own event. As part of the first day, a group of researchers identified as the 360Vulcan Team were the big winners, walking away with $132,500 in prize money for exploiting Adobe Flash and Google Chrome. The Flash exploit made use of a type confusion bug in Adobe Flash as well as a vulnerability in Microsoft’s Windows 10.

      “The [Windows] kernel vulnerability was a use-after-free vulnerability,” Christopher Budd, global threat communications manager at Trend Micro, told eWEEK. “They successfully chained both of these to compromise the target at the system level.”

      For the Flash and Windows chained exploit, the 360Vulcan Team received $80,000. The second exploit demonstrated by 360Vulcan Team was against Google’s Chrome and made use of four new zero-day vulnerabilities, two use-after-free vulnerabilities in Adobe Flash, one use-after-free vulnerability in the Windows Kernel and an out-of-bounds vulnerability in Google Chrome. For the Chrome exploit, 360Vulcan Team was awarded $52,500.

      Independent security researcher JungHoon Lee earned $60,000 on the first day of Pwn2own 2016 by exploiting Apple’s Safari browser. Lee found four vulnerabilities in total, including issues in Safari as well as Apple’s OS X desktop operating system.

      “One of the vulnerabilities was in Safari, the other three were vulnerabilities within Mac OS X,” Budd said.

      Chinese corporation Tencent is well-represented at Pwn2own 2016, with three teams competing—Sniper, Shield and Xuanwu. Tencent’s Team Sniper earned $50,000 on the first day of Pwn2own by successfully demonstrating a new attack against Adobe Flash that exposed a new out-of-bounds vulnerability in Flash and a use-after-free vulnerability in Windows.

      Tencent’s Team Shield’s attention was on Apple’s Safari, where the group was able to find three new vulnerabilities. One of the vulnerabilities is a use-after-free memory issue in Safari while the other is in a Mac OS X privileged process. For their efforts in attacking Safari on OS X, Tencent’s Team Shield was awarded $40,000.

      Day Two of Pwn2own 2016 includes Tencent’s Team Sniper taking another shot at exploiting Apple’s Safari. JungHoon Lee will be attempting to exploit the Microsoft Edge browser as well as Google Chrome. Tencent’s Team Shield will use the second day of Pwn2own to attempt to exploit Microsoft Edge as well.

      One target that isn’t being attempted by security researchers is VMware Workstation. As part of the contest, there is an award for a researcher who is able to execute a hypervisor escape from the VMware Workstation virtual machine on which the Windows-based browsers will be running. Budd isn’t surprised that no researcher has decided to try and attack VMware Workstation.

      It’s a new vector for attack, and one that can be particularly challenging,” Budd said. “Given the amount of time required for adequate research, it’s not surprising that no one has signed up this year. However, we do expect to see people sign up for this next year.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×