Pwn2Own 2013

Pwn2Own 2013

Results for Wednesday:

1:30 - Java (James Forshaw) PWNED
2:30 - Java (Joshua Drake) PWNED
3:30 - IE 10 (VUPEN Security) PWNED
4:30 - Chrome (Nils & Jon) PWNED
5:30 - Firefox (VUPEN Security) PWNED
5:31 - Java (VUPEN Security) PWNED

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157

More about pwning Chrome: http://labs.mwrinfosecurity.com/blog/2013/03/06/pwn2own-at-cansecwest-2013/

Summary: In the first day of the Pwn2Own cracking contest, Microsoft’s Internet Explorer 10, Google’s Chrome and Mozilla’s Firefox web browsers have all gone down in flames.

In the eternal war between crackers and security professionals, the hackers have won the latest battle.

At the CanSecWest conference in Vancouver, Canada, the HP Zero Day Initiative’s (ZDI) annual Pwn2Own competition has ended its first day of competition and Microsoft’s Internet Explorer (IE) 10, Google’s Chrome and Mozilla’s Firefox Web browsers have all been cracked. In addition, Java—can anyone be surprised at this?–was also cracked multiple times.

Read more: Pwn2Own: Down go all the browsers | ZDNET

Merged similar topics…

Vupen >:(

:cry: hopefully this will make them much more secure

though i think they should have made more incentive for non windoows OS

but then again a more fragmented numbers seems to say much less to be exploited based on the blog post comments

i do wonder would java still rise and if it fall what will be the next to be heavily exploited only the future knows i guess :‘( :’(

Thursday’s results:

12pm - Flash (VUPEN Security) PWNED
1pm - Adobe Reader (George Hotz) PWNED
2pm - Java (Ben Murphy via proxy) PWNED

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157

Chrome and Firefox have been updated.

Pwnium 3: Chrome OS was not pwned.

Update: We just closed out the competition. We did not receive any winning entries but we are evaluating some work that may qualify as partial exploits. Thanks to those who attempted, see you next time!
https://plus.google.com/u/0/100585555255542998765/posts/TRotibBewk9

These are the prizes -
Web Browser
Google Chrome on Windows 7 ($100,000)
Microsoft Internet Explorer, either
IE 10 on Windows 8 ($100,000), or
IE 9 on Windows 7 ($75,000)
Mozilla Firefox on Windows 7 ($60,000)
Apple Safari on OS X Mountain Lion ($65,000)
Web Browser Plug-ins using Internet Explorer 9 on Windows 7
Adobe Reader XI ($70,000)
Adobe Flash ($70,000)
Oracle Java ($20,00

I got a chuckle out of seeing a paltry 20K offered for Java :stuck_out_tongue:
That was a dead cert payout if ever there was one…
Edit: Java was broken 3 times 88)

On a side note Vupen are at least trying to appear that they have changed their ways - https://twitter.com/VUPEN/status/309611849765236737
Quite a contrast from last year - Meet The Hackers Who Sell Spies The Tools To ■■■■■ Your PC (And Get Paid Six-Figure Fees)

In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret. Bekrar won’t detail Vupen’s exact pricing, but analysts at Frost & Sullivan, which named Vupen the 2011 Entrepreneurial Company of the Year in vulnerability research, say that Vupen’s clients pay around $100,000 annually for a subscription plan, which gives them the privilege of shopping for Vupen’s techniques.

The rules were changed this year, so they had no choice.

Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prize money. The initial vulnerability utilized in the attack must be in the registered category.
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157

See also Chromium Blog: Show off Your Security Skills: Pwn2Own and Pwnium 3

Ah that makes sense, thanks :slight_smile:
Still perfect advertising for a company that charges 100K a year just for subscription.
Or am I been overly cynical ?

The Chromium Blog: Pwnium 3 and Pwn2Own Results