The hunt for a bug bounty has borne fruit in the former, with security firms managing to develop successful exploits against Microsoft IE, Google Chrome and Mozilla Firefox, as well as the Adobe Flash plug-in.
Chrome fell in HP’s Pwn2Own contest. MWR Labs demonstrated a full sandbox bypass exploit against the latest stable version of the Google Chrome browser.
“We showed an exploit against previously undiscovered vulnerabilities in Google Chrome running on a modern Windows-based laptop,” the firm said. “By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges.”
Ironically, though, Google’s own Pwnium 3 competition for Chrome OS saw no winners. The browsing behemoth had put up $3.14 million in potential winnings to those who can produce full exploits. Any winning attack must be demonstrated against a base (Wi-Fi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS.
Meanwhile, other browsers saw failure. Threatpost reports that French security firm Vupen won $180,000 for compromising Firefox and Internet Explorer 10. Also, it “chained together three separate zero-day vulnerabilities and successfully compromised the latest patched version of Flash as part of the contest.” That compromise snagged $70,000 for the company.
Sophos Naked Security assembled the final list of the successful exploits:
- James Forshaw: Java = $20K
- Joshua Drake: Java = $20k
- Vupen Security: IE10 + Firefox + Java + Flash = $250k
- Nils & Jon (MWR): Chrome = $100k
- George Hotz: Adobe Reader = $70k
- Ben Murphy: Java = $20k