Major Browsers hacked at Pwn2Own hacking competition

At the Pwn2Own hacking competition two researchers hacked the four major browsers, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Safari.

Two researchers on Thursday successfully hacked the four major browsers, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, at the Pwn2Own, the annual hacking contest in Vancouver.

In particular the Korean researcher Jung Hoon Lee earned $110,000 in just two minutes, the man used 2000 lines of code to take down both stable and beta versions of Chrome by exploiting a buffer overflow race condition in the browser.

Lee also hacked in the same day a 64-bit version of IE 11 exploiting a time-of-check to time-of-use (TOCTOU) vulnerability. The flaw exploited between the time a file property is checked and the time the file is used, allowed the research a privilege escalation. Lee awesome, because he closed the day exploiting a use-after-free vulnerability to take down Safari browser.

In just one day, Lee earned about $ 225,000 hacking the main browser. GREAT JOB!

Lee isn’t the unique expert that demonstrated the vulnerability of principal browsers. A researcher operating under the pseudonym ilxu1a hacked Mozilla browser. The researchers discovered an out-of-bounds read/write vulnerability through static analysis and by exploiting it he obtained a medium-integrity code execution. The same exploit did not work for Chrome.

In the following list are reported the list of bugs discovered in the principal browsers during the Pwn2Own hacking competition hosted by HP’s Zero Day Initiative and Google’s Project Zero:

Microsoft Windows: 5 bugs
Microsoft IE 11: 4 bugs
Mozilla Firefox: 3 bugs
Adobe Reader: 3 bugs
Adobe Flash: 3 bugs
Apple Safari: 2 bugs
Google Chrome: 1 bug

The total amount of money paid to the researchers is $442,500 … I love the Pwn2Own competition because gives value to the knowledge and power to the research!

Pierluigi Paganini

(Security Affairs – browser, Pwn2Own )

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.