The Pwn2Own contest allows each year to reward those who manage to find and exploit vulnerabilities in browsers . This competition allows publishers also concerned to accelerate the discovery of the breach. As every year, the 2015 did not spare anyone: all browsers have had their breakthroughs defenses
110 000 dollars for a single flaw in Chrome
As in 2014. all browsers are dropped at the end of last week before the attacks of hackers during the Pwn2Own competition. The competition is closely examined as the participants must use one or more faults and to manage to break through the software defenses. But impossible to use “conventional” faults since the systems used for testing all the latest patches. Consequence: the gaps used are unknown editors and are bound type 0-day. Note that Flash and Reader, both Adobe are among potential targets as a very commonly used plugins.
So we found Internet Explorer, Chrome, Firefox and Safari, all available in their latest version . With the exception of Safari, all were available on a machine running Windows 8.1 , again with all available patches. And all fell: no browser could not claim to have resisted the skills of competitors, one of which is particularly visitors. Jung Hoon Lee, Korean security researcher (pseudonym “lokihardt”), has won 110,000 dollars in just minutes, while working alone. A record.
To achieve this, he simply exploited a buffer overflow in Chrome, in its latest stable revision as well as in its latest beta. The performance allowed him to amass first 75,000 dollars from the competition itself. But the method used, which was based on two bugs in the Windows kernel, allowed him to also garner an additional $ 25,000. As for the remaining $ 10,000, they were given by Google as part of its Project Zero, to have been able to reproduce the operation of Chrome beta.
Internet Explorer, Firefox, Safari, Flash, Reader: none could resist
It did not take him more than two minutes to realize his technique, a sign that it had been largely prepared in advance. HP, the Zero Day Initiative is sponsoring the contest, noted with amusement that this performance has allowed Lee to rake in money at the speed of “ $ 916 per second .” Especially since this amount was later supplemented by another $ 65,000, this time from the operation of a TOCTOU fault (time-of-check to time-of-use) in Internet Explorer 11 in 64 bits. He was able to get read / write privileges in Microsoft’s browser, using JavaScript flaw to escape the sandbox, which normally insulates the rest of the system process.
Also note that Jung Hoon Lee the same broke through the defenses Safari on Mac, granting him an additional $ 50,000, for a total of 225,000 dollars during the competition. This is a record since high amounts are usually reserved for teams from several researchers and / or hackers. When one knows that the contest Pwn2Own this year paid a total of 557,500 dollars for 21 vulnerabilities, one is more aware of the performance of Korean researcher, totaling more than 40% of total earnings.
Here also the distribution of faults found:
- Windows: 5 faults
- Internet Explorer 11: 4 faults
- Firefox 3 faults
- Adobe Reader: 3 faults
- Adobe Flash: 3 faults
- Safari: 2 faults
- Chrome: 1 fault
As usual, the competition results will be followed by updates to close all browsers and products concerned, Firefox has already received its patch (version 36.0.4).
Vincent Hermann
Writer / journalist specializing in software and especially operating systems. Never travels without his sword.
No comments:
Post a Comment