Firefox, Chrome and IE have all been exposed as a result of the Canadian Pwn2Own competition hosted by the CanSecWest Conference in Vancouver this week.
The contest, run by HP’s DV Labs Zero Day Initiative offers prizes totaling half a million dollars to the initiators of a successful attack. $100,000 was offered for a successful own of Firefox in Windows 7 and Chrome in Windows 8. For successfully attacking IE9 in Windows 7 a prize of $75,000 was offered and $60,000 for Firefox in the same OS.
All the successful attacks used zero day vulnerabilities. Internet Explorer was attacked using a combination of two zero day vulnerabilities and a sandbox bypass that compromised IE10 running in Windows 8 on a Microsoft Surface pro tablet/laptop hybrid. Firefox came fail to a new technique, named ‘use-after-free’ vulnerability in Windows that bypasses ASLR (Address Space Layout Randomisation) and DEP (Data Execution Prevention).
Google’s Chrome also suffered despite releasing 10 patches prior to the competition. Competitors still managed to perform a sandbox bypass exploit on an up to date Windows machine that pointed the browser towards a malicious website. The infected website managed to grant code execution in the sandbox rendering process. Another vulnerability discovered in the kernel allowed arbitrary commands execution outside the sandbox with system privileges.
HP had offered a $65,000 for any researcher who managed to hack OS X Mountain Lion, but no competitors stepped up to accept the challenge, instead the main focus of the Pwn2Own 2013 competition was Chrome.