Researchers pocket record $400K at Pwn2Own hacking contest's first day

Hack Internet Explorer, Firefox, and Adobe Flash and Reader

Researchers on Wednesday cracked Microsoft's Internet Explorer 11 (IE11), Mozilla's Firefox and Adobe's Flash and Reader at the Pwn2Own hacking contest, earning $400,000 in prizes, a one-day record for the challenge.

Pwn2Own continues today, when other teams and individual researchers will take their turns trying to break Apple's Safari and Google's Chrome.

A team from Vupen, a French vulnerability research firm and seller of zero-day flaws to governments and law enforcement agencies, ended Wednesday $300,000 richer, having hacked Adobe Flash, Adobe Reader, Firefox and IE11 for a one-day foursome, another record.

Firefox was victimized a total of three times in just over six hours, once by Vupen and then two other times by researchers Mariusz Mlynski and Jri Aedla, with each winner picking up $50,000 for their exploit.

Although Pwn2Own was originally going to offer cash prizes only to the first who hacked each target, the contest organizer, Hewlett-Packard's Zero Day Initiative (ZDI), changed the ground rules on the fly, saying early Wednesday that it would pay for all vulnerabilities used by the contestants.

With that move, ZDI, a bug bounty program that's part of HP's TippingPoint division, said it and co-sponsor Google -- the latter pitched in 25% of the prize money -- would end up paying more than $1 million if all 15 entrants, another record, were successful.

Wednesday's efforts were impressive in their own right, with each scheduled target falling to researchers within five minutes. Contestants come to Pwn2Own with zero-day vulnerabilities and exploits in their pockets, and do not find the bugs and craft attack code on-site.

"All the exploits were unique in their own way," said Brian Gorenc, manager of vulnerability research for ZDI, in an interview after the conclusion of Pwn2Own's first day. Gorenc declined to single out the most impressive or elegant exploit. "It was fascinating seeing the different ways that researchers are bypassing sandboxes and the ways they chained multiple vulnerabilities."

A "sandbox" is an anti-exploit technology deployed by some software -- Internet Explorer, Flash and Reader all rely on sandboxes -- that is designed to isolate an application so that if attackers do find a vulnerability in the code, they must circumvent, or "escape" the sandbox, to execute their malicious code on the machine. Sandbox escapes typically require chained exploits of two or more vulnerabilities.

The day's total of $400,000 nearly matched last year's Pwn2Own two-day payout of $480,000.

Vupen kicked off the day by hacking Adobe Reader, winning $75,000 for the feat.

"We've pwnd Adobe Reader XI with a heap overflow + PDF sandbox escape (without relying on a kernel flaw). Exploit reported to Adobe!," Vupen said on its Twitter account.

Next up was IE11 on a notebook running Windows 8.1, Microsoft's most-current operating system. "We've pwnd IE11 on Win 8.1 using a use-after-free combined to an object confusion in the broker to bypass IE sandbox," Vupen announced on Twitter after grabbing $100,000 for the hack.

"Use-after-free" is a term for a type of memory management bug, while "broker" is the label for the part of the sandbox that acts as the supervisor for all protected processes. A flaw in a broker, as Vupen demonstrated, can have catastrophic effects, letting a hacker escape the sandbox and execute attack code.

Vupen also exploited Adobe Flash and Firefox, Mozilla's open-source browser, winning prizes of $75,000 and $50,000, respectively.

Mlynski and Aedla each won $50,000 for hacking Firefox. Gorenc confirmed that the three Firefox attempts exploited different vulnerabilities.

Both Mlynski and Aedla are experienced researchers: Mlynski has reported several Firefox vulnerabilities to that browser's security team, while Aedla earned more than $10,000 in bug bounties by submitting numerous Chrome flaws to Google in 2011 and 2012.

TippingPoint and its ZDI bounty program have sponsored or co-sponsored Pwn2Own since its 2007 inception. After researchers hand over the vulnerabilities they used to hack targets -- and their exploit code -- ZDI confirms the results, then passes the information to the pertinent vendors, which all had representatives on-site, ready to jump on patching.

"I think we hit it out of the park this time," said Gorenc of ZDI, referring to how smoothly Pwn2Own ran Wednesday. "We gave the contestants 30 minutes each, but most of them demonstrated their exploits within minutes, all within five minutes, and then used the remaining time to go to the disclosure room where vendors waited."

Before Pwn2Own kicked off at noon PT Wednesday at CanSecWest -- the Vancouver, British Columbia, security conference that has hosted the contest for the last eight years -- ZDI and Google sponsored a new challenge, dubbed "Pwn4Fun," where the two sponsors raised $82,500 for the Canadian Red Cross by presenting vulnerabilities and exploits of their own.

The Google team cracked Apple's Safari at Pwn4Fun, while ZDI presented a multi-exploit hack of IE11 and disclosed six additional Internet Explorer vulnerabilities that its own researchers had found over the last two weeks, said Gorenc.

Some had taken to Twitter over the last week to criticize Google and ZDI for Pwn4Fun, arguing that because the two teams had "banked" vulnerabilities to use in the charity drive, they were being hypocritical by not immediately informing the vendors -- Apple and Microsoft in this case -- of the bugs.

But Gorenc defended Pwn4Fun. "We made the browsers safer [with Pwn4Fun], and we're excited about that," Gorenc said.

Pwn2Own continues today, with Vupen and several independent researchers slated to tackle Apple's Safari and Google's Chrome, as others take additional attempts at Adobe Flash, Firefox and Internet Explorer.

Among today's scheduled contestants is George Hotz, also known as "geohot," a noted iPhone and Sony PlayStation 3 hacker, who will try his hand at breaking Firefox. Hotz has participated in previous Pwn2Own challenges, including last year's, where he exploited Adobe Reader for a $70,000 prize.

Also yesterday, Google ran its own one-day "Pwnium 4" contest at CanSecWest, pitting researchers against Chrome OS, the browser-based operating system that powers Chromebook laptops. According to a company post on Google+, one researcher successfully exploited Chrome OS on an HP Chromebook 11, winning the notebook and a $150,000 prize.

"We'll be considering partial credit for a second researcher working on the same platform," Google wrote, adding that it would publish a longer recap after CanSecWest concludes on Friday.

ZDI has posted a brief description of the results on its website.

"This is a first for the white hat market," said Gorenc of the first day's total awards of $400,000. "Over two days, we'll probably pay out over a million dollars for responsibly disclosed vulnerabilities. We're excited to do that."

This article, Researchers pocket record $400K at Pwn2Own hacking contest's first day, was originally published at

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingAppleFirefoxVupenGoogleMicrosoftsecurityHewlett-PackardHP

More about Adobe SystemsAppleGoogleHewlett-Packard AustraliaHPMicrosoftMozillaSonyTippingPointTippingPointTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place