Record Payouts At Hacking Contests
Written by Andrew Johnson   
Monday, 17 March 2014

Hewlett-Packard paid out a total of $850K for security exploits during its two-day Pwn2Own event held at CanSecWest 2014. A further $150K was awarded by Google in its Pwniumn 4 competition that took place on the first day.

Although nobody attempted HP's Grand Prize, dubbed the Unicorn, which was to exploit Internet Explorer 11 running on a 64-bit Windows 8.1 operating system, with the Enhanced Mitigation Experience Toolkit (EMET) running, Pwn2Own contestants compromised IE twice.

On Day One (March 12) by French security research firm VUPEN which employed  use-after-free causing object confusion in the broker, resulting in sandbox bypass; and on Day 2 (March 13) by by Sebastian Apelt and Andreas Schmidt with two use-after-free bugs and a kernel bug.

VUPEN emerged as the dominant player for the fourth year running, also taking down Adobe Flash, Adobe Reader and Mozilla Firefox on Day One, netting a total of $300K. VUPEN withdrew two of its exploits attempts - against Java on Day One and Apple Safari on Day Two. It did however hack Google Chrome on Day Two, for a further $100K, with a use-after-free affecting both Blink and WebKit along with a sandbox bypass, resulting in code execution.

Firefox was the most exploited browser in this year's competition with a total of four exploits all using different techniques, including a use-after-free, a privilege escalation, and an out-of-bounds read and write. Asked why Firefox had attracted such attention Sid Stamm, senior engineering manager of security and privacy at Mozilla told eWeek:

"Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers' decision to wait until now to share their work and help protect Firefox users"

In fact Firefox exploits earned less than any of the others but at $50K the reward far exceeds the $3K offered by Mozilla in its bug bounty program.

Google had put $2.7 Million On Offer For Pwnium 4 for finding serious holes in Chrome OS but in the event awarded just one top prize of $150,000 plus a HP Chromebook 11, although it is considering partial credit for a second researcher.

As a prelude to the contest, security teams from Google and HP's ZDI (zero Day Initiative) went head to head in Pwn4Fun with each team claiming a victory in exploiting recently discovered flaws in Safari and IE. The prizes ($82,500 in total) were donated to the Canadian Red Cross.

Google Chome Developers on Google+

Related Articles

$2.7 Million On Offer For Pwnium 4

Google Announces More Cash For Security Bugs

Chrome Hacked Twice at CanSecWest

Google Offers $1 million for Chrome Hack

Google Offers Cash For Security Patches

A Short History of Hacking

Chrome, IE and Firefox Hacked

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

 

Banner


Insights Into Learning Computer Science
18/12/2024

JetBrains Academy has published the results of a worldwide survey that set out to discover current trends in computer science education and the challenges involved in studying computer science. I [ ... ]



Windows 11 Adoption Takes A Downturn
11/12/2024

With Windows 10 End of Life only ten months away, Microsoft is stepping up its campaign to get Windows users to upgrade to Windows 11. But while Windows 11 had been gaining users at a steady rate at t [ ... ]


More News

Last Updated ( Monday, 17 March 2014 )