itestro - Fotolia
The state of browser security is precarious at best; that reality was proved once again by the results of this year's Pwn2Own event, which paid researchers a total of $552,500 for identifying 21 vulnerabilities in seven major browsers and applications.
The 10th annual vulnerability research competition, sponsored by Hewlett Packard Co.'s Zero Day Initiative and Google's Project Zero, was held Wednesday and Thursday at the CanSecWest security conference in Vancouver.
Researchers were rewarded in cash and prizes for successfully demonstrating unique exploits in some of the world's top software, including Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Apple Safari and Adobe Reader and Flash. As in years past, all exploits were disclosed to the applicable software vendor.
The competition has become a high-profile battle royale for the industry's top researchers, thanks in large part to five-figure cash prizes for successful exploits. In 2014 contestants received $850,000 for demonstrating 25 exploits. Last year, the event cast doubt on the integrity of sandboxes in browsers, a theme which continued this year.
Day one: Down with Reader, Flash, Windows, IE and Firefox
On day one of the event, bug hunters earned $317,500 for three bugs in Reader, Flash and Windows, respectively, as well as one bug each in IE and Firefox.
Zeguang Zhao of Team509 and Peter, Jihui Lu and wushi of KeenTeam were awarded $60,000 for exploiting a remote code execution flaw in Flash, and an additional $25,000 for exploiting a local privilege escalation in the Windows kernel through TrueType Fonts (TTF).
Nicolas Joly took home $30,000 for exploiting the Flash broker through a use-after-free remote code-execution vulnerability and sandbox escape directory traversal vulnerability. Joly was also awarded $60,000 for compromising Reader through a stack buffer overflow.
KeenTeam and Jun Mao of Tencent PCMgr were awarded $30,000 for exploiting Reader through an integer overflow, as well as achieving pool corruption using a second TTF flaw that enabled system-level escalation, which earned them an additional reward of $25,000.
Mariusz Mlynski received $30,000 for exploiting Firefox through a cross-origin vulnerability, and another $25,000 for a Windows privilege-escalation flaw. According to HP's blog post, Mlynski "knocked it out of the park … all within .542 seconds."
Making its Pwn2Own debut, the 360Vulcan team compromised the 64-bit version of IE 11 with an uninitialized memory vulnerability in 17 seconds, bringing them $32,500 in prize money. The browser was guarded by an enhanced sandbox, full 64-bit process, Microsoft EMET, Windows 8.1 security mechanisms and other protections.
Day two: Firefox and IE hit again, Chrome and Safari taken down
On the second day of the event, bug hunters earned $235,000 in cash, as well as additional prizes for finding two bugs each in IE, Firefox, Safari and Windows OS, as well as one bug in Chrome.
Researcher ilxu1a exploited Firefox in what HP said "happened so quickly that those of us who blinked missed it … it was sub-second execution." He received $15,000 for his efforts, which involved using an out-of-bounds read/write vulnerability to achieve medium-integrity code execution.
JungHoon Lee was the big winner of the day, taking home a total of $225,000 for his exploits. First, Lee bypassed all IE defense mechanisms with a time-of-check to time-of-use vulnerability that enabled read/write privileges. He was awarded $65,000 for the attack.
Lee then compromised Chrome, bringing him a total $110,000 in prize loot; the exploit involved compromising both stable and beta versions of Chrome through a buffer overflow race condition in Chrome and information leak and race condition in two Windows kernel drivers, which resulted in system access, all in approximately two minutes.
Finally, individual competitor Lee compromised Safari with a use-after-free vulnerability in an uninitialized stack pointer and bypassed the browser sandbox; this earned him $50,000.
In other news
- The OpenSSL Project released updates Thursday to fix 14 flaws in four versions of its cryptographic library, including one deemed high severity. The most critical flaw, CVE-2015-0291, affects only OpenSSL 1.0.2, which was released in January. Left unpatched, a remote attacker could exploit the vulnerability and cause servers to crash, which could eventually lead to a denial-of-service situation. OpenSSL published an advisory Monday morning about the forthcoming update, leading many to worry that another Heartbleed may be looming. While still a serious flaw, OpenSSL Project and reporter David Ramos claim an exploit for CVE-2015-0291 has not yet been seen in the wild. Users are urged to update to OpenSSL 1.0.2a immediately. OpenSSL also re-categorized the FREAK vulnerability as high severity; it was ranked low when first patched Jan. 8. Updated versions of 0.9.8, 1.0.0, 41.0.1 and 1.0.2 are available here.
- Microsoft announced Monday it is developing a new name and brand for the browser that will be included in its upcoming Windows 10 release. Microsoft marketing chief Chris Capossela spoke at the Microsoft Convergence conference about the browser, dubbed "Project Spartan," which will succeed the vulnerability-riddled Internet Explorer as the OS' primary browser, despite the fact that IE still holds more than half of the desktop browser market share. The move signals the end for a moniker that, much to Microsoft's chagrin, has been synonymous with flawed security; time and again, Internet Explorer security has proven faulty, including once again this week at Pwn2Own (see above). While many outlets are reporting IE is officially dead, "phasing out" may be a more appropriate headline; The Verge reported IE will be available in some Windows 10 deployments, namely for enterprise compatibility. Capossela said at the conference Microsoft is conducting market research on future browser branding, but as of now it is unclear when the new name will be announced.
- A survey by the Pew Research Center published Monday revealed more than one-third of the 87% of Americans aware of government surveillance programs have made at least one change to their online behavior to protect their personal data from Big Brother. The study, which polled 475 adults, found many are altering use of everything from email and search engines to social media and mobile devices in response to the surveillance programs brought to light largely by NSA whistleblower Edward Snowden. According the report, 17% of respondents have changed their social media privacy settings to hide information from the government, 14% are speaking more often in person than online or over the phone, and 13% have avoided using certain terms in online communications. Ten percent of those polled started using search engines that do not track search history, 5% have added privacy-enhancing browser plugins, and 4% adopted mobile encryption for calls and text messages. Research also revealed adults under the age of 50 are more likely to have changed behaviors than those over 50 (40% vs. 27%). Eighty-two percent of those polled believe the government should be able to monitor communications of suspected terrorists, 57% believe it is unacceptable for the government to monitor communications of U.S. citizens.
Get the inside scoop on last year's Pwn2Own competition
Read more on why IE security is so challenging and the realities of open source software security
Learn about situational awareness and government surveillance
Read up on fixing the math in the wake of Snowden's NSA surveillance revelation