How secure is your Internet browser? Not very secure apparently. It took ethical hackers at Pwn2Own less than a day to prove it.
Researchers engage in the annual Pwn2Own hacking contest at the CanSecWest conference in Vancouver. There are cash prizes for demonstrating the use of remote exploits to hack the four major browsers, as well as the Adobe Reader and Flash Player plugins.
The star of the day was South Korean security researcher and hacker Jung Hoon Lee. The serial browser hacker–known in online circles as “lokihardt”—took home a cash prizes totaling $225,000 in addition to the brand new laptops provided for the event.
Jung Hoon Lee successfully exploited Internet Explorer, Firefox and Chrome browsers on Microsoft’s Windows, and hacked Safari on Mac OS X. Remarkably, Jung Hoon Lee accomplished this feat singlehandedly even though his opponents generally worked in teams.
PCworld broke down his $225,000 haul as follows; “$75,000 for the Chrome bug, an extra $25,000 for a privilege escalation to SYSTEM and another $10,000 for also hitting the browser’s beta version—for a total of $110,000. The IE11 exploit earned him an additional $65,000 and the Safari hack $50,000.”
Mozilla’s Firefox ended up being the most exploited browser of the day as other individuals and teams successfully exploited vulnerabilities in the browser. A researcher with the hacker handle “ilxu1a’ successfully hacked Firefox on Windows but ran out of time while exploiting Google’s Chrome. Another researcher Mariusz Mlynski, earned $30,000 for also hacking Firefox and an additional $25,000 for exploiting a Windows flaw to gain system privileges.
A merger between two Chinese teams—Team509 and KeenTeams— successfully exploited flaws in Flash Player running in Internet Explorer 11 on Windows 10 and received an $85,000 pay off. The KeenTeam then teamed up with Jun Mao to successfully exploit a flaw in the Windows Kernel which earned them an additional $55,000.
Nicolas Joly—a former representative of French security firm Vupen—singlehandedly hacked Adobe Reader and Flash Player which earned him $90,000.
There is nothing all that shocking about the Pwn2Own results. Researchers demonstrate year after year that there simply is no such thing as impenetrable software. Given enough time and dedication researchers (or attackers) will find a way to exploit and hack an application. Pwn2Own provides the vendors with valuable insight into how to make their software more secure, and it provides the general public with a valuable lesson to always be vigilant because anything can be hacked.
