Pwn2Own 2013: First Results
In Vancouver, the Pwn2Own contest continues, which is being held as part of the CanSecWest conference. As usual, the French company VUPEN is in the spotlight. Shauki Bekrar ( Chaouki Bekrar , VUPEN CEO) commented :
This year's quotations for finding vulnerabilities and successful exploitation for browsers were as follows :
For browser plug-ins to IE 9 on Windows 7:
The rules stipulate that the above applications will work on Windows 7, 8 and OS X Mountain Lion with the latest updates. Also, the components to be used will be in the default settings, like most users. The vulnerability used must be previously unknown (0day) and unpublished. Participants will have 30 minutes. to demonstrate successful operation.
VUPEN reservers successfully exploited Firefox, using a use-after-free vulnerability and a technique to bypass DEP and ASLR. VUPEN was also hacked (pw0ned) a MS Surface Pro tablet using two IE 10 vulnerabilities and a sandbox bypass in it. Java was pw0ned by reporters from VUPEN and Accuvant Labs using heap overflow.
')
Successful operation of Google Chrome, with a detour of a sandbox, resercher from MWR Labs.
Competitions of this kind, which are essentially a game, take a lot of time and resources, although they are well paid. VUPEN also participates in this competition as a company that explores vulnerabilities and sells exploits to private clients. The time and effort spent was worth it due to the high cash rewards. We thought a lot about whether to participate in the contest this year, because the cost of creating a reliable exploit is very high. It took several weeks to search for vulnerabilities in IE 10 and a few more weeks to develop a reliable exploit.
This year's quotations for finding vulnerabilities and successful exploitation for browsers were as follows :
- Google Chrome on Windows 7 ($ 100,000)
- Microsoft IE 10 on Windows 8 ($ 100,000)
- Microsoft IE 9 on Windows 7 ($ 75,000)
- Mozilla Firefox on Windows 7 ($ 60,000)
- Apple Safari on OS X Mountain Lion ($ 65,000)
For browser plug-ins to IE 9 on Windows 7:
- Adobe Reader XI ($ 70,000)
- Adobe Flash ($ 70,000)
- Oracle Java ($ 20,000)
The rules stipulate that the above applications will work on Windows 7, 8 and OS X Mountain Lion with the latest updates. Also, the components to be used will be in the default settings, like most users. The vulnerability used must be previously unknown (0day) and unpublished. Participants will have 30 minutes. to demonstrate successful operation.
VUPEN reservers successfully exploited Firefox, using a use-after-free vulnerability and a technique to bypass DEP and ASLR. VUPEN was also hacked (pw0ned) a MS Surface Pro tablet using two IE 10 vulnerabilities and a sandbox bypass in it. Java was pw0ned by reporters from VUPEN and Accuvant Labs using heap overflow.
')
Successful operation of Google Chrome, with a detour of a sandbox, resercher from MWR Labs.
Source: https://habr.com/ru/post/171913/
All Articles