If you’ve been following our blog(please say you have!), then you are aware of HP’s innovative PWN2OWN competition, part of the CanSecWest2013 conference in Vancouver. The results were… powerful to say the least.
The registrants set their sites on the respective browsers of their choice and were able to exploit the best of best, even compromising Google Chrome’s browser within the first 5 minutes of the competition. Promising, however, is the fact that nobody managed to ‘own’ Google’s Chromebook, their new flagship laptop which runs the new Chrome OS. Further capitalizing on this security lead they have creative will prove to be fruitful for the powerhouse company in the future.
In summary, every mainstream browser in the competition was convincingly owned in addition to both Flash and Java, which was compromised four times in total. This comes as no surprise to developers and hackers alike, who delight in Oracle’s lack of effective proactive defenses concerning their increasingly unstable platform. Don’t expect Java to ride off into the sunset with its head held high, as its continual failure to hold back cyber attacks signals a much needed changing of the guard.
Interesting to note, Internet Explorer 10 was owned once during the competition, as Pham Toan’s scheduled attack on the browser on day 2 never occurred. Microsoft stands to gain the most from this conference as they’ve been the subject of extreme scrutiny for their lackluster web browser over the years, culminating in receiving over one billion dollars in fines courtesy of the European Union Commission the past 4 years.
Of the registrants of the inaugural competition, VUPEN Security stands out as the ‘winners’, successfully breaching IE 10, Firefox, Java & Flash, netting a cool $250k. Originally, only the first registrant to breach the software would be awarded prize money. However, sponsors made a decision as results flooded in, awarding prize money to those who successfully made it past defenses, encouraging continued collaborative white hat hacking in the future. Total prize money awarded tops out currently at $380k.
It is the sincerest hope of the members of Secure The World that observers & developers alike are able to take with them several important concepts from this competition– mainly the advantages that result from some well placed, ‘friendly’ hacking.