Four of the most popular internet browsers have been compromised in the Pwn2Own hacking contest, held at IT security conference CanSecWest in Vancouver.
The first day of the competition saw not only browsers being exploited by also other popular software products. Firefox, Internet Explorer 11 (IE11), and Safari were cracked by entrants as well as Adobe's Flash and Reader products.
Firefox was found to be the most exploitable browser in terms of total zero-day exploits found in the software. It was compromised three times in the competition.
Angela Gunn, senior security content developer at HP Security Research said in a blog post that $400,000 (240,505) was paid out to researchers in the main competition and $82,500 (49,604) to charity in the Pwn4Fun sponsors-only event.
Security researchers at French firm Vupen earned the majority of the prizes, $300,000 (180,374), for their work on finding exploits. The team of researchers successfully compromised Adobe Flash, Reader, IE11, and Firefox. The Flash, Reader and Firefox exploits resulted in code execution, and the IE11 exploit enabled a sandbox bypass.
Security researchers Jri Aedla and Mariusz Mlynski hacked Firefox with Aedla finding an out-of-bound read/write resulting in code execution in the browser, while Mlynski found two vulnerabilities, one allowing privilege escalation within the browser and one bypassing browser security measures. Each researcher earned $50,000 (30,059) a piece for their work.
In the sponsors only Pwn4Fun event, Google managed to use an exploit on Apple Safari browser running on Mac OS X, launching Calculator as root on Mac OS X.
ZDI presented a multi-stage exploit, including an adaptable sandbox bypass, against Microsoft Internet Explorer, launching Scientific Calculator (running in medium integrity) with continuation. Combined, the two efforts raised $82,500 (49,591) for the Canadian Red Cross, the charity agreed upon by both sponsors.
"All vulnerabilities were disclosed to their respective vendors in the Chamber of Disclosures, and each will be working to address those issues through their own processes," said Gunn.
