Popular Browsers hacked at Pwn2Own 2015 Event

Every year, browser vendors tighten up the security features of their browsers ahead of the Pwn2own browser hacking competition in a bid to prevent exploitation and prove their browser is most secure. However, these efforts rarely impress the hackers in proving the fact that there is no such thing as a secure browser.

HP zero day

Browsers Hacked at Pwn2Own 2015 Event

The event, Pwn2Own hacking contest rewards hackers with an award money after finding vulnerabilities in every major Internet browser. The contest this year wrapped up successfully in Vancouver after demonstrating remote code execution exploits in 4 major browsers:

  1. Microsoft Internet Explorer
  2. Google Chrome
  3. Mozilla Firefox
  4. Apple Safari

All the popular, famously hard to compromise browsers fell prey to remote code execution exploits by the second day. A South Korean security researcher and serial browser hacker JungHoon Lee, known online as lokihardt managed to secure a whooping amount of US$225,000 in prize money and new laptop for exploiting Internet Explorer 11 and Google Chrome on Windows, Safari on Mac OS X.

Lee hacked the 64-bit Internet Explorer 11 with a time-of-check to time-of-use exploit that achieved read/write privileges. Before his day ended, he also hacked Apple’s Safari browser earning him $50,000. His accomplishment was particularly impressive since there was no helping hand available to him and he competed alone. Other researchers were teamed up.

Mozilla’s Firefox was hacked by Mariusz Mlynski by using a Windows flaw to gain SYSTEM privileges. The hack earned him a $25,000 bonus on top of the standard $30,000 payout for the Firefox hack.

During each of the challenges thrown before the hackers, the individuals and their teams had 30 minutes to demonstrate exploits on the various Windows and Mac OS targets. List of bugs discovered in the most used and popular browsers during the Pwn2Own hacking competition hosted by HP’s Zero Day Initiative and Google’s Project Zero is provided below.

  • Google Chrome: 1 bug
  • Apple Safari: 2 bugs
  • Adobe Reader: 3 bugs
  • Adobe Flash: 3 bugs
  • Mozilla Firefox: 3 bugs
  • Microsoft IE 11: 4 bugs
  • Microsoft Windows: 5 bugs

Posted by with Tags
The author Hemant Saxena is a post-graduate in technology and has an immense interest in following Microsoft and other technology developments around the world. Quiet by nature, he is an avid Lacrosse player.

One Comment

  1. Dan

    The only slight downside to all this “pay hackers to pre-hack hackers” stuff is that then browser makers proceed as if no one on earth, no tech or third party app, could possibly exist already defending against the “hacking future”; then, taking their browsers as if standalone in all user cases, they add fixes (with MS, often OS-based) and you sometimes get weird internet experiences as new browser defenses collide with already-present user defenses. For example, if one uses recent FF versions in some vpns, FF says it can’t connect to Google because (apparently) the pin keys of Google reached via vpn are different than those you get using your normal dns…and then states this “cannot be overridden”…yet for some reason, secure search engines like DDG and StartPage remain usuable with FF in vpn.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + 5 =