Pwn2Own hacking contest winds down after paying a record $480K

Google, Mozilla rush out fixes for flaws revealed by researchers

A day after researchers hacked Chrome and Firefox at the Pwn2Own contest, Google and Mozilla patched their browsers Thursday.

The contest also wound down yesterday after hackers had earned a record $480,000 over two days.

The update to Chrome 25 came about 24 hours after two researchers from U.K. firm MWR InfoSecurity exploited multiple bugs in the browser and Windows 7. In exchange for their attack code and vulnerabilities, Nils -- a German who goes only by his first name -- and Jon Butler were awarded $100,000 by Pwn2Own organizer HP TippingPoint and its Zero Day Initiative (ZDI) bug bounty program.

The quick turn-around nearly matched last year's, when Google patched several Chrome vulnerabilities in under 24 hours after researchers unveiled them at a company-sponsored contest.

Mozilla also patched its Firefox browser on Thursday, closing a hole unveiled by a team from Vupen, a French vulnerability research and exploit-selling company. The team's exploit resulted in a cash prize of $60,000, the laptop used to host Firefox and other fringe benefits.

"We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users," said Michael Coates, Mozilla's director of security assurance, in a Thursday blog.

Mozilla had been expecting to patch Firefox, and had prepped for what it calls a "chemspill," or emergency update, before Pwn2Own began.

Firefox 19.0.2, like Chrome 25, has already been pushed to users, most of whom receive it automatically through the browser's in-the-background update mechanism.

The other browser hacked Wednesday at Pwn2Own, Microsoft's Internet Explorer 10 (IE10), has not yet been patched. It's possible, but very unlikely given Microsoft's practices, that a fix will be included in March 12's Patch Tuesday.

On Twitter, Vupen's CEO and head of research, Chaouki Bekrar, said that the exploit his team deployed works against IE10 both on the "classic" desktop in Windows 8 as well as the browser for the tile-based user interface (UI) dubbed "Modern" by Microsoft but still referred to as "Metro" by most outsiders.

On Thursday, Pwn2Own continued with the Vupen team researchers successfully exploiting the Adobe Flash Player browser plug-in. George Hotz, a 23-year-old best known for "jailbreaking" the iPhone and the Sony PlayStation 3 -- and now being sued by Sony for the latter -- later brought down Adobe Reader. Vupen and Hotz each received $70,000 for their Adobe vulnerabilities and hacks.

Oracle's Java was also hacked yesterday by Ben Murphy, making a total of four exploits of the under-assault software that's plagued users with a rash of "out-of-band," or emergency, updates this year. Murphy, like each of the others who cracked Java, earned $20,000.

Pwn2Own's total award payout for the two days was $480,000, a record for the contest, which is now in its eighth year. The Vupen team took home over half of that, $250,000, for its exploits of IE10, Firefox, Flash and Java.

But Google's Pwnium 3, which also ran Thursday at CanSecWest, the same Vancouver, British Columbia security conference that hosted Pwn2Own, came up empty-handed.

"Pwnium 3 has completed and we did not receive any winning entries," a Google spokeswoman said in an email late Thursday. "We are evaluating some work that may qualify as partial credit."

Pwnium had attracted pre-contest attention for its large awards -- up to $150,000 for each hack, with Google committing to a maximum payout of as much as $3.14 million -- and its focus on Chrome OS, the browser-based operating system that powers laptops such as the $249 Samsung Chromebook and Google's own $1,299 Chromebook Pixel.

ZDI called an end to the contest Thursday, even though no researcher had attempted to take down the one remaining target, Apple's Safari browser running on OS X Mountain Lion.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsecurityMalware and Vulnerabilities

More about Adobe SystemsAppleGoogleHPMicrosoftMozillaOracleSamsungSonyTippingPointTippingPointTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place