Researchers rake in $280K at Pwn2Own hacking contest

Teams hack IE10, Chrome 25, Firefox 19, and Java 7 as eighth Pwn2Own gets off to an impressive start

Research teams Wednesday cracked Microsoft's Internet Explorer 10 (IE10), Google's Chrome and Mozilla's Firefox at the Pwn2Own hacking contest, pulling in more than $250,000 in prizes.

Earlier in the day, a solo hacker exploited Oracle's Java to win $20,000.

Vupen, a French vulnerability research and bug-selling firm that took first place at Pwn2Own last year, brought down IE10 running on a Windows 8 powered Surface Pro tablet by exploiting a pair of flaws.

"We've pwned [Microsoft's] Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass," Vupen announced on Twitter Wednesday afternoon.

HP TippingPoint, whose Zero Day Initiative (ZDI) bug bounty program is co-sponsoring Pwn2Own this year -- Google has also pumped money into the contest -- confirmed the Vupen hack in a tweet of its own.

According to Pwn2Own's rules, which were dramatically revised from 2012's challenge, the first researcher or team of researchers to hack IE10 on Windows 8 wins a $100,000 cash prize, plus the machine hosting the browser target.

Toward the end of the day, Vupen followed up with an exploit of Firefox 19 on Windows 7, collecting another $60,000.

Pwn2Own started Wednesday at the CanSecWest security conference in Vancouver, British Columbia, and will run through Friday.

Also on Wednesday, a two-man team from MWR Labs, an arm of UK-based MWR InfoSecurity, hacked Chrome 25 on Windows 7 by exploiting multiple "zero-day," or unpatched, vulnerabilities in the browser and operating system.

Like the Vupen hack of IE10, MWR Labs' exploit of Chrome resulted in a complete bypass of Windows anti-exploit "sandbox" technology. The MWR Labs researchers who found the bugs, built the exploits, and demonstrated their skills at Pwn2Own were Nils -- a young German who is known only by his first name -- and Jon Butler. Nils has a Pwn2Own history: He won $10,000 by hacking Mozilla's Firefox in 2010, and $15,000 the year before for exploiting Firefox, IE8 and Apple's Safari.

Nils and Butler described their Chrome hack in a brief blog post Wednesday, outlining how they defeated Windows' security defenses, including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

For their work, Nils and Butler received $100,000.

At the opening of the contest, a pair of solo researchers -- James Forshaw, a principal consultant at Context Information Security in the U.K., and Joshua Drake of Accuvant -- exploited Oracle's Java. Forshaw, who took his jabs first, won $20,000, Pwn2Own's lowest-priced prize. Vupen also successfully hacked Java 7 with a vulnerability and exploit of its own.

In a departure from the original rules, ZDI said that it would purchase all successful vulnerabilities and their associated exploits from researchers, even those that were not awarded prizes. It did not say how much hackers would earn by selling such secondary flaws: ZDI and other bug bounty programs typically are tight-lipped about what they pay.

Several prizes went unclaimed Wednesday, including the two $70,000 awards for Adobe's Flash Player and Adobe Reader on Windows 7, and the $65,000 check for Safari on OS X Mountain Lion. Flash and Reader are slated to be attacked today.

Google's own contest, Pwnium 3, kicks off Thursday at CanSecWest when Chrome OS -- the search giant's browser-based operating system -- will be targeted by researchers. Pwnium 3 is notable for the $3.14 million Google has set aside for potential awards, and for the individual prizes of as much as $150,000 for each successful exploit.

This is Pwn2Own's eighth year, but the total prize pool of more than a half million dollars is a record for the contest.

More information about Pwn2Own can be found on TippingPoint's blog.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags VupenGoogleMicrosoftsecuritytwitterMalware and VulnerabilitiesOraclemozillaHP

More about Adobe SystemsAppleDrakeGoogleHPMicrosoftMozillaOracleTippingPointTippingPointTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place