Pwn2Own ends with three browsers felled - Update
By the end of the Pwn2Own competition at CanSecWest, Google Chrome, Microsoft Internet Explorer and Mozilla Firefox were all subject to zero day exploits, winning the teams involved the maximum points for an exploit. Chrome also fell a second time in Google's own Pwnium contest with an attack that pulled together three zero day vulnerabilities.
At the end of the competition, the VUPEN team took first place, and the $60,000 prize, with 123 points, after toppling both Internet Explorer and Google Chrome. Their Chrome exploit is believed to have leveraged flaws in the Flash player bundled with the browser, while their Internet Explorer exploit first provoked a buffer overflow on the heap working around DEP and ASLR protections. They then made use of a memory error to break out of the sandbox (protected mode) of the web browser. VUPEN will only be revealing details of the heap overflow, keeping the protected mode bypass a secret that it can sell to its customers. It claims that the exploit works on Internet Explorer 10 but that there are more protections against user-after-free and memory leaks in the browser making it more difficult to exploit.
Mozilla Firefox fell to the team of Willem Pinckaers and Vincenzo Iozzo, who together took second place overall in Pwn2Own. Their single zero day vulnerability in Firefox involved a use-after-free problem which evaded DEP and ASLR protections in Windows 7. According to reports, the vulnerability was used to leak information multiple times that was then used to prepare code to be executed, again through the same vulnerability. Pinckaers and Iozzo won $30,000 with 66 points.
At Google's Pwnium contest, Chrome fell a second time after a hacker by going by the name of "Pinkie Pie", also the name of a My Little Pony character, chained three zero day vulnerabilities in Chrome together to break out of the browser's sandbox and execute code. The exploit was revealed only hours before the contest closed. Google will not discuss the details of the three vulnerabilities until it has created and widely distributed a patch for the holes; the company patched the holes involved in the first Pwnium exploit within 24 hours. The Google competition was independent of Pwn2Own; the search company decided to sponsor its own contest after discovering rule changes meant participants would not be required to disclose vulnerabilities used in Pwn2Own to the affected vendors.
Update - Google has now patched Pinkie Pie's vulnerabilities and announced the changes are being distributed in an update to the stable version of Chrome. Further changes are expected to harden the browser against CVE-2011-3046 and CVE-2011-3047, the CVE numbers allocated to Pinkie Pie's vulnerabilities. Google said of both exploits that they were "works of art and deserve wider sharing and recognition" and that it plans to do full technical reports on them in the future.
(djwm)