Pwn2Own 2014, an event that takes place these days alongside CanSecWest in Vancouver, has started. On the first day, contestants already found vulnerabilities in Safari, Firefox, Internet Explorer, Adobe Flash and Reader.The payouts made after the first day total $400,000 (€286,000). Most of the money went to French research firm VUPEN. The company’s researchers have managed to find a total of four vulnerabilities.
They found a use-after-free with an Internet Explorer sandbox bypass in Flash. The issue can be exploited to execute arbitrary code. A heap overflow and PDF sandbox escape in Adobe reader also resulted in code execution.
VUPEN experts have also found a use-after-free that can be leveraged for code execution in Firefox. In addition, they’ve managed to bypass the sandbox in Internet Explorer 11 on Windows 8.1 with a use-after-free vulnerability that causes object confusion in the broker.
For their work, VUPEN researchers have been rewarded with $300,000 (€215,000).
Researchers Jüri Aedla and Mariusz Mlynski each managed to “pwn” Firefox. Aedla found an out-of-bound read/write resulting in code execution.
Mlynski found two security holes: a privilege escalation flaw and one that could be exploited to bypass the web browser’s security measures. Each of the experts has been rewarded with $50,000 (€35.850).
TippingPoint’s Zero Day Initiative (ZDI) and Google, the co-sponsor of Pwn2Own 2014, have taken part in a new challenge called Pwn4Fun. Experts from Google and ZDI presented their own exploits, all the proceeds being donated to the Canadian Red Cross.
“At Pwn4Fun, Google delivered a very impressive exploit against Apple Safari launching Calculator as root on Mac OS X. ZDI presented a multi-stage exploit, including an adaptable sandbox bypass, against Microsoft Internet Explorer, launching Scientific Calculator (running in medium integrity) with continuation,” the competition’s organizers explained.
A total of $82,500 (€59,000) has been donated to the Canadian Red Cross.
IDG’s Gregg Keizer reports that most of the contestants managed to demonstrate their exploits within 5 minutes, despite having 30 minutes to do it. Once the exploits were demonstrated, the security researchers headed to the disclosure room where they presented the details of their exploits to vendors.
This is one of the main conditions of Pwn2Own. All vulnerabilities must be disclosed to respective vendors so that they can fix the security holes.
We can expect Mozilla and Microsoft to patch the vulnerabilities found by contestants in the upcoming days. It remains to be seen if anyone manages to break Chrome in the second and last day of Pwn2Own.