The second day of the annual Zero Day Initiative (ZDI) Pwn2own browser-hacking competition on March 17 went much like the first day, with researchers once more showing new zero-day vulnerabilities in modern Web browsers.
On the first day of Pwn2own, $282,500 in prize money was awarded and on the second day, $177,500 was won, bringing the two-day total for the event to $460,000. All told, 21 previously unknown vulnerabilities were publicly demonstrated at Pwn2own 2016.
The first exploit demonstrated on the second day of Pwn2own 2016 was a new attack against Apple’s Safari browser, demonstrated by Tencent’s Team Sniper that made use of a use-after-free zero-day in Safari and an out-of-bounds memory exploit in Mac OS X. Team Sniper earned $40,000 for the new Safari/Mac OS X attack.
Safari and Mac OS X had previously been exploited on the first day of Pwn2own 2016, by security researcher JungHoon Lee as well as Tencent’s Team Shield.
One target that wasn’t hit on the first day was Microsoft’s new Edge Web browser, but that situation was corrected on the second day. Independent security researcher JungHoon Lee was able to successfully exploit Microsoft Edge by abusing an uninitialized stack variable vulnerability in the browser. Lee coupled that vulnerability with a directory traversal vulnerability in Microsoft Windows in order to achieve full system privileges, in an attack chain that resulted in an $85,000 reward for Lee.
Microsoft Edge was also targeted for exploitation by the Team Sniper, whose members were able to find an out-of-bounds memory vulnerability in Microsoft Edge as well as a buffer-overflow vulnerability in the Windows kernel. Team Sniper earned $52,500 for its successful attack against Microsoft Edge.
While there were successful attacks on the second day of Pwn2own, what was somewhat more surprising was that there were also multiple failed attempts. “The biggest surprise was the back- to-back failures,” Christopher Budd, global threat communications manager at Trend Micro, told eWEEK.
Lee was unsuccessful in demonstrating a code-execution attack against Google Chrome while Tencent’s Team Shield failed in an attempt to show a code-execution attack against Adobe Flash.
The 2016 Pwn2own event was also different in that it was the first Pwn2own browser contest not to include Mozilla’s Firefox Web browser. When the Pwn2own 2016 event was first announced, Brian Gorenc, manager of vulnerability research at Hewlett Packard Enterprise, explained to eWEEK that the focus for the 2016 event would be on browsers that have innovated security-hardening efforts in the past year, which is a group that didn’t include Firefox.
Also of note for the 2016 event was the fact that majority of researchers who participated came from Asia, while in past years, there was a wider geographic distribution of participants.
“Over the last several years, we’ve worked hard to increase the numbers of Asia-based researchers submitting to the Zero Day Initiative program and participating in the Pwn2own contest,” Budd said. “This work has paid off, and we couldn’t be happier with the amount of participation we get at our Pwn2own contest.”
With the event now over, the focus turns to the impacted vendors—Adobe, Microsoft and Google—to fix the vulnerabilities that were demonstrated at Pwn2own 2016. The amount of time it takes each vendor to fix vulnerabilities varies, though they all have the same final deadline, before ZDI publicly discloses the issues.
“All vulnerabilities disclosed to vendors out of Pwn2own are subject to ZDI’s standard 120-day disclosure Window,” Budd said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.