No Browser is Secure: All Major Browsers Hacked at 2015 Pwn2Own Contest
At least on Windows, and possibly on Mac. At the 2015 Pwn2Own Contest in Vancouver, which is part of the larger computer security conference called CanSecWest, independent security researchers were able to execute exploits on all four major browsers. The victims were Safari on OSX, Chrome on Windows, Firefox on Windows, and, less surprising, Internet Explorer on Windows.
Also read: YouTube Finally Ditches Flash for HTML5
On Wednesday, security researcher Mariusz Mlynski was able to escalate a bug in Windows via Mozilla Firefox into system privileges. This is called pwning, because from there the hacker can, essentially, do whatever they like with the system.
On Thursday, Jung Hoon Lee also known as lokihardt won the largest prize of $225,000 for his exploits, which were the majority of the successful ones shown. He demonstrated a bug in Chrome on Windows and then was able to parlay from there to system level privileges, netting him $100,000. Additionally, he broke Chrome’s beta version for an extra $10,000. Then, he broke Internet Explorer and Apple’s Safari for another $115,000 combined. The Safari exploit is perhaps the more interesting because it pulls the rug from under the belief that Safari and OSX are extremely secure. Lee was able to gain root access through the browser, however, and that should be enough to move Mac users to other browsers pronto.
Additionally on Thursday, for the smallest prize taken, ilxu1a, whose real name was not divulged, successfully pwn’d a Windows laptop using a Mozilla Firefox exploit. For this, he was rewarded with $15,000.
Adobe Reader and Flash Player Also Exploited
No browser exploits were successfully demonstrated on Linux or other open-source operating systems; additionally, the other browser somewhat commonly used (though not nearly at the level of the others), Opera, was not exploited. Chinese researchers did do additional exploits on Internet Explorer 11, however, through bugs in Adobe Flash. From there, they were able to parlay this using a flaw in Windows to gain system privileges. This won a combined total of $85,000, split between KeenTeam and Team509.
KeenTeam was also involved in exploiting Adobe Reader in Internet Explorer on Windows, pwning successfully the Windows machine on which the software was running. In other Adobe exploit news, Frenchman Nicolas Joly was able to exploit both Adobe Reader and Flash Player for system privileges. Joly’s prize was $90,000.
No single attack leveraged was able to pwn in and of itself, it was necessary in all cases to execute more than one attack. In many cases, this could downgrade the effectiveness of an attack because it could be detected in its first stages or might be done improperly, prompting access to be denied from there. While the publicly available information about these exploits is vague, it seems well within the realm of possibility that they could be executed via remotely hosted code in the browser.
The Pwn2Own contest began in 2007 with the purpose of executing system-level privilege-gaining exploits on widely-used software. “Widely used” can be ambiguous, since in Asia and Russia, open-source operating systems are far more common than they are in North America and Europe. All cash prizes are in addition to the hardware that the exploits were conducted on, and all exploits were reported to the vendors responsible for the victimized software.
Images from Shutterstock.