Results for Wednesday:
1:30 - Java (James Forshaw) PWNED
2:30 - Java (Joshua Drake) PWNED
3:30 - IE 10 (VUPEN Security) PWNED
4:30 - Chrome (Nils & Jon) PWNED
5:30 - Firefox (VUPEN Security) PWNED
5:31 - Java (VUPEN Security) PWNED
More about pwning Chrome: http://labs.mwrinfosecurity.com/blog/2013/03/06/pwn2own-at-cansecwest-2013/
Summary: In the first day of the Pwn2Own cracking contest, Microsoft’s Internet Explorer 10, Google’s Chrome and Mozilla’s Firefox web browsers have all gone down in flames.
In the eternal war between crackers and security professionals, the hackers have won the latest battle.
At the CanSecWest conference in Vancouver, Canada, the HP Zero Day Initiative’s (ZDI) annual Pwn2Own competition has ended its first day of competition and Microsoft’s Internet Explorer (IE) 10, Google’s Chrome and Mozilla’s Firefox Web browsers have all been cracked. In addition, Java—can anyone be surprised at this?–was also cracked multiple times.
Read more: Pwn2Own: Down go all the browsers | ZDNET
hopefully this will make them much more secure
though i think they should have made more incentive for non windoows OS
but then again a more fragmented numbers seems to say much less to be exploited based on the blog post comments
i do wonder would java still rise and if it fall what will be the next to be heavily exploited only the future knows i guess :‘( :’(
12pm - Flash (VUPEN Security) PWNED
1pm - Adobe Reader (George Hotz) PWNED
2pm - Java (Ben Murphy via proxy) PWNED
Chrome and Firefox have been updated.
Pwnium 3: Chrome OS was not pwned.
Update: We just closed out the competition. We did not receive any winning entries but we are evaluating some work that may qualify as partial exploits. Thanks to those who attempted, see you next time!
These are the prizes -
Google Chrome on Windows 7 ($100,000)
Microsoft Internet Explorer, either
IE 10 on Windows 8 ($100,000), or
IE 9 on Windows 7 ($75,000)
Mozilla Firefox on Windows 7 ($60,000)
Apple Safari on OS X Mountain Lion ($65,000)
Web Browser Plug-ins using Internet Explorer 9 on Windows 7
Adobe Reader XI ($70,000)
Adobe Flash ($70,000)
Oracle Java ($20,00
I got a chuckle out of seeing a paltry 20K offered for Java
That was a dead cert payout if ever there was one…
Edit: Java was broken 3 times 88)
On a side note Vupen are at least trying to appear that they have changed their ways - https://twitter.com/VUPEN/status/309611849765236737
Quite a contrast from last year - Meet The Hackers Who Sell Spies The Tools To ■■■■■ Your PC (And Get Paid Six-Figure Fees)
In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret. Bekrar won’t detail Vupen’s exact pricing, but analysts at Frost & Sullivan, which named Vupen the 2011 Entrepreneurial Company of the Year in vulnerability research, say that Vupen’s clients pay around $100,000 annually for a subscription plan, which gives them the privilege of shopping for Vupen’s techniques.
The rules were changed this year, so they had no choice.
Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prize money. The initial vulnerability utilized in the attack must be in the registered category.
See also Chromium Blog: Show off Your Security Skills: Pwn2Own and Pwnium 3
Ah that makes sense, thanks
Still perfect advertising for a company that charges 100K a year just for subscription.
Or am I been overly cynical ?