Popular web browsers hacked at Pwn2Own security event

Photo of author

By Larry Banks

The most popular web browsers, like the one that you are probably using right now, has just been hacked. The four most popular – i.e. Chrome, Internet Explorer, Firefox and Safari – have been successfully exploited at the 8th annual Pwn2Own event at CanSecWest, where researchers came to demonstrate exploits on the latest builds of popular browsers and win money in return.

Weaknesses found on most browsers

However, the good news is that due to the nature of the hacking contest, none of the details can be made public until the companies that make the browsers have had a chance to issue fixes. So, even though the bugs are probably already present in your browser, you shouldn’t be in that much danger of falling victim before they’re fixed.

Mozilla, for example, said that it would have Firefox patched up in a matter of days, but none of the other browser makes have yet issued statements.

The definition of “exploit” in Pwn2Own is clear: “modify the standard execution path of a program or process in order to allow the execution of arbitrary instructions”.

CAN Sec WestThis basically means breaking a browser’s security to make it run code that it shouldn’t be doing. No interaction with the browsers is allowed, except “the action required to browse to the malicious content”.

Every research is given 30 minutes to demonstrate the exploit, on a machine they have never used, and each machine runs a fully patched and up to date version of its operating system. Many of these bugs were identified from days and weeks of research, i.e. they were not uncovered in the 30 minute window given to each researcher.

This is how each browser stacked up:

  • 4 bugs were demonstrated in Internet Explorer (on Windows 8.1)
  • 3 bugs were demonstrated in Mozilla Firefox (on Windows 8.1)
  • 2 bugs were demonstrated in Safari (on OS X Yosemite)
  • 1 bug was demonstrated in Chrome (on Windows 8.1)

Researchers also demonstrated various exploits in Adobe Reader, Flash, and Windows.

The Chrome browser bug resulted in a huge payout of $110,000. Chrome already had the biggest reward of any browser as it’s said to be very hard to exploit. The researcher, JungHoon Lee, even scored bonus cash for style, with $75k for the first bug, $25k awarded for getting his code to at a system level, and another $10k because the bug also works in the beta build of Chrome.

At the end of the 2-day competition, a total of $557,500 was paid out to participants.

Images Courtesy of DepositPhotos