Home > Privacy, Security > Pwn2own reveals critical bugs in all browsers

Pwn2own reveals critical bugs in all browsers

Privacy, Security 7 Comments

The annual Pwn2Own hacking competition wrapped up its 2015 event in Vancouver with another banner year, paying $442,000 for 21 critical bugs in all four major browsers, as well as Windows, Adobe Flash, and Adobe Reader.

7 Comments

  1. 2015-03-23 1:00 pm
    number9

    hacking doesn’t pay…

    …”That netted him another $50,000 USD and brought his daily total to $225,000.” This was JungHoon Lee (lokihardt), working by himself. Damn.

    • 2015-03-23 1:04 pm
      FunkyELF

      …”That netted him another $50,000 USD and brought his daily total to $225,000.” This was JungHoon Lee (lokihardt), working by himself. Damn.

      Is this competitive with what these would bring in on the black market? The guy will sleep better at night, and you can’t put a price on that… but still.

      • 2015-03-23 1:34 pm
        Alfman verbose=1

        FunkyELF,

        Is this competitive with what these would bring in on the black market? The guy will sleep better at night, and you can’t put a price on that… but still.

        It could represent many more months of perfecting hacking techniques, debugging, and finding workable exploits, but yeah it’s many times my salary. I’m curious what the black market pays.

        Between 2010 and 2013, MS seems to have realized that it needs to provide a financial incentive for hackers to come to them with vulnerabilities. Evidently “recognition” by microsoft didn’t cut it.

        http://www.zdnet.com/article/microsoft-no-plans-to-pay-for-security

        We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update.

        While we do not provide a monetary reward on a per-bug basis, like any other industry, we do recognize and honor talent. We’ve had several influential folks from the researcher community join our security teams as Microsoft employees…

        http://www.cnet.com/news/microsoft-pays-out-28k-to-ie-11-exploit-hu

        Microsoft recently launched a bounty-hunting program for researchers to find bugs, security flaws, and vulnerabilities in the preview version of Internet Explorer 11. And, now, a handful of hunters have come to claim their prize.

        A total of six researchers have found 15 vulnerabilities within the preview version of Internet Explorer 11. And, Microsoft has paid them more than $28,000 to date.

        My guess is that microsoft’s rewards were less than the black market would pay. Something else to think about: does the NSA qualify as “black market”? Their intention is obviously to use the exploits rather than to fix them, we can’t really call that white-hat hacking. What do they pay their hackers?

  2. 2015-03-23 3:16 pm
    Bill Shooter of Bul Platinum Prime Supporter

    I understand that all major browsers were compromised, does anyone know what operating systems they were running on, or if they were operating system agnostic?

    There are more mentions on windows exploits as part of the exploit as well, so I guess one can assume that these all worked against the browsers running on windows, but no mention of mac or linux.

    • 2015-03-23 5:29 pm
      WereCatf

      At least the Firefox – bugs sounded like they were not dependant on the underlying OS and thus would most likely work just as easily under OSX or Linux. That said, I doubt much more in the way of details will be released as they don’t wanna give the baddies any ammunition.

    • 2015-03-23 5:59 pm
      benjymouse

      I understand that all major browsers were compromised, does anyone know what operating systems they were running on, or if they were operating system agnostic?

      There are more mentions on windows exploits as part of the exploit as well, so I guess one can assume that these all worked against the browsers running on windows, but no mention of mac or linux.

      Per the rules all browsers had to be exploited on Windows, except for Safari which had to be exploited on OS X. No Linux target was set up.

      Attackers who could escape browser security and execute code at normal integrity level (Windows) or just as the user on OS X was rewarded with the *browser* exploit award.

      Specifically on Windows there was an extra prize if the attacker could elevate to SYSTEM (roughly the equivalent of root if root login has been disabled). Several of the contestants achieved that as well. There was no similar prize for root on OS X.

  3. 2015-03-23 5:53 pm
    acobar

    Really impressive, even more when you learn what are the rules the hacker must observe.

    Take a look at “http://techxplore.com/news/2015-03-big-browsers-fall-pwn2own-exploi….