At pwn2Own, Chrome, Flash and Other Key Tools Proved Vulnerable

by Ostatic Staff - Mar. 18, 2016

At a steady cadence, the Pwn2Own hacker contest has become an important fixture in the world of testing the security of software applications, operating systems and hardware devices. In fact, it’s now widely followed by major technology companies and technologists of all stripes. The competition exposes just how vulnerable the browsers, applications and utilties that we all use all day really are.

The first day of the annual Pwn2Own hacking contest has been completed, and, sure enough, hackers exposed vulnerabilities in Apple Safari, Google Chrome and Flash Player to compromise the latest versions of both OS X and Windows. They also earned hundreds of thousands of dollars in prize money. 

The pwn2Own competition is happening at the CanSecWest conference in Vancouver, Canada, and $282,500 was awarded in first-day prizes.

A crafty research team billed as the 360Vulcan Team won big, earning $132,500 in prize money for exploiting Adobe Flash and Google Chrome. The Flash exploit leveraged a type confusion bug in Adobe Flash and a vulnerability in Microsoft's Windows 10.

The very same team showed a remote code execution attack against Google Chrome on Windows that also compromised the operating system. To do so, they combined exploits for four vulnerabilities: one in Chrome, two in Flash and one in the Windows kernel.

According to eWeek:

"Chinese corporation Tencent is well-represented at Pwn2own 2016, with three teams competing—Sniper, Shield and Xuanwu. Tencent's Team Sniper earned $50,000 on the first day of Pwn2own by successfully demonstrating a new attack against Adobe Flash that exposed a new out-of-bounds vulnerability in Flash and a use-after-free vulnerability in Windows."

"Tencent's Team Shield's attention was on Apple's Safari, where the group was able to find three new vulnerabilities. One of the vulnerabilities is a use-after-free memory issue in Safari while the other is in a Mac OS X privileged process. For their efforts in attacking Safari on OS X, Tencent's Team Shield was awarded $40,000."

 HP and Trend Micro are sponsoring pwn2Own. Why do they do so? The answer is that they can benefit from getting key vulnerabilities uncovered at the contest patched.

Each of the vulnerabilities exploited will be privately disclosed to the software builders in question so that patches can be delivered. 

The Pwn2Own competition is truly widely watched by technology companies, and individuals should keep track of the annual results as well.