All major browsers hacked in Pwn2Own contest; hacker gets $225,000 in prize money

“So much for browser security,” Lucian Constantin reports for IDG News Service. “Researchers who participated in the Pwn2Own hacking contest this week demonstrated remote code execution exploits against the top four browsers, and also hacked the widely used Adobe Reader and Flash Player plug-ins.

“On Thursday, South Korean security researcher and serial browser hacker JungHoon Lee, known online as lokihardt, single-handedly popped Internet Explorer 11 and Google Chrome on Microsoft Windows, as well as Apple Safari on Mac OS X,” Constantin reports. “He walked away with US$225,000 in prize money, not including the value of the brand new laptops on which the exploits are demonstrated and which the winners get to take home.”

“Lee’s attack against Google Chrome earned him the largest payout for a single exploit in the history of the competition: $75,000 for the Chrome bug, an extra $25,000 for a privilege escalation to SYSTEM and another $10,000 for also hitting the browser’s beta version—for a total of $110,000,” Constantin reports. “The IE11 exploit earned him an additional $65,000 and the Safari hack $50,000… All bugs were reported to the affected vendors after the contest, as part of the competition’s rules.”

Read more in the full article here.

MacDailyNews Take: The good news is that Apple and the rest now know about these issues and can work to close them.

29 Comments

  1. There’s always going to be exploitable code, especially when third-parties can offer integration through plugins or extensions. This is going to be a very expensive endeavour for browser vendors.

    1. I wish that MDN spent more time offering tips for Mac users to secure their machines instead of repeatedly droning the fallacy that if you have a Mac you don’t have to concern yourself with security.

      1. MDN does NOT “drone the fallacy that if you have a Mac you don’t have to concern yourself with security”.

        Nor does anyone else.

        They do repeatedly drone the FACT that OS X is enormously more secure than Winblows and iOS is enormously more secure than Androcrap and Winblows Mobile.

        However — there are some who repeatedly drone the fallacy that Mac owners drone the fallacy that they don’t have to concern themselves with security. Anybody with an IQ over that of a hamster knows that there are security issues with Macs, and good/bad security behavior. None of us with such IQs claim zero security risk.

        1. I have to assume that some people misunderstood you post. Otherwise, why the down votes?

          OS X and iOS are not perfectly secure as demonstrated by the bug fixes and security patches over the years. However, if you are a wise and cautious user, OS X and iOS offer strong security. The biggest security hole is the user. Don’t respond to phishing emails, don’t open unsolicited attachments, and don’t install software sourced outside of The App Store unless you are certain it is safe and uncompromised

  2. Whopping security holes in Adobe freeware (Flash, Reader), DUH. What a menace.

    But now, it could not be clearer that ALL web browsers are hackable. Well earned prize money! Get cracking, browser developers!

    As usual, it will take months to learn what hack methods were used to break into each program. But my bets are always on buffer overflows.

    My usual rant: Memory management in modern code development is AWFUL. I personally point the finger at ALL variations of the C programming language. It’s time to dump C for something far safer. It’s not Java! I keeping hoping Apple’s Swift language is it. /rant

    1. I feel you man but once you get below whatever the latest and greatest type safety and bounds checking framework you choose you’ll still find plenty of system level C code that might be exploitable.

      Naturally some languages are better suited than others in this day and age but even those languages depend on some very old code to function.

    2. in deed, well earned, the winners must surrender their methods and demonstrate how, hence to provide better security over all… this is the main reason for giving the winner money

    3. Everything in computers is built on top of C. At least in the Mac, Linux, and Windows worlds. Would have to rethink and restart modern computer science all over again to get away from C. Which I guess is inevitably going to happen at some point or other, the way everything changes and updates in computers over time.

      1. One reason I laugh at the concept of ‘artificial intelligence’ (AI) is that we know very well it will be hackable, or derange-able if it is based on our usual coding practices. Some day I’ll finish a humorous story series I have exploring exactly that.

    4. Pretty sure the hacker / winner shares his method in return for the big cash payout. The companies aren’t paying out this kind of cash reward with no information coming back.

  3. You know all the virulence surrounding government snooping, this is far more worrisome and hits me much closer to home. Where are all of the privacy hotheads. While it doesn’t say PRIVACY, the ability to invade and take control of your computer data is a HUGE PRIVACY ISSUE and one that I’d place much higher on the list of things to accomplish for Silicon Valley companies that making sure NSA can’t read my e-mails!

    Isn’t there some snappy quote from old Ben Franklin about thieves and night stalkers waiting on every corner to rob you?

    1. Actually, no.

      While these guys come in and take over a machine in minutes, they spend weeks, and sometimes many months, figuring out each exploit. No matter how bulletproof you try to make an OS or browser or other application, there are *always* going to be holes. The only truly bullet proof computer is one that is turned off, disconnected from everything physically and electrically, and placed into a copper lined lead box which is then sealed shut.

      The goal of every computer security team (whether they are developers or operations people) is to make the holes as few as possible and make finding and implementing an exploit so difficult that extremely few people will be able to do so.

      1. Are you trying to say that $3 billion in additional manpower and rigor in software development, even if only partly applied to Mac security, wouldn’t have been effective at catching the Safari error that lokihardt exploited?

        I disagree. Apple is long overdue for a Snow Leopard quality release. They have the money to do it, what seems to be lacking in Cupertino is the leadership to take on fundamental multi-year Mac improvements. That’s on Cook, and no one else. He’s focused on iOS and iCloud at the detriment of the Mac platform, and it shows.

Add Your Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.