Surprise, Surprise: Chrome; Firefox; IE10; Java; Win 8 fall at #pwn2own hackfest

[menotu]

By Darren Pauli on Mar 7, 2013 - .scmagazine

Chrome; Firefox; IE 10; Java; Win 8 fall at #pwn2own hackfest

Web browsers Google Chrome, Internet Explorer and Firefox along with Windows 8 and Java have been exploited in the Pwn2Own hacking contest in Canada today.

Each attack at the CanSecWest competition used zero-day vulnerabilities on a fully patched Windows 7, 8 and OS X Mountain Lion operating system with default configurations.

Firefox was popped with a use-after-free vulnerability and a new technique that bypasses Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) in Windows, Vupen said.

Windows 8 also fell to the security consultancy which cracked Microsoft's Surface Pro using two Internet Explorer zero day vulnerabilities and a sandbox bypass. 

Java was also fell to Accuvant Labs' Josh Drake, Contextis' James Forshaw and Vupen which broke the platform by finding a heap overflow.

Chrome MWRLabs researchers Nils and Jon Butler chalked up a reliable sandbox bypass exploit against zero day vulnerabilities in Chrome. The attack was made by pointing the browser running on an updated Windows operating system to a malicious webpage which granted code execution in the sandboxed renderer process.

The pair also found a kernel vulnerability that granted elevated privileges arbitrary commands execution outside of the sandbox with system privileges.

http://www.scmagazine.com.au/News/335750,chrome-firefox-ie-10-java-win-8-fall-at-pwn2own-hackfest.aspx

Day two of Pwn2Own will see Vupen take on Flash, George Hotz take on Adobe Reader and Pharm Toan take on IE10.

[agmg]

Why weren't any Linux systems used?

[bicol_willem]

Why weren't any Linux systems used?

No one wanted to get a headache 

[menotu]

heise Security - 08 March 2013

Pwn2Own ends with all attackers winning

Security broken The Pwn2Own competition at CanSecWest has come to an end with the second day being like the first day. No web browser plugin survived being attacked and Adobe Flash, Adobe Reader XI and Java were all successfully hacked. Vupen security, who had demonstrated exploits of Internet Explorer 10, Firefox and Java on day one, returned with an exploit for Adobe Flash. George Hotz took down Adobe Reader and the day ended with Ben Murphy's exploit of Java, making it the fourth Java "pwning" of the contest.

In response to day one's exploits, both Mozilla and Google have shipped updates to their browsers. Mozilla's Firefox has been updated to version 19.0.2 with a fix for the vulnerability; the same fix, for a use-after-free in the HTML editor which could lead to arbitrary code execution, has also been applied to Firefox ESR 17.0.4, Thunderbird (ESR) 17.0.4 and SeaMonkey 2.16.1. Google has updated the stable channel for Chrome on Windows, Mac OS X and Linux for the type confusion flaw that was exploited by Nils and Jon of MWR Labs at Pwn2Own.

Both the Firefox and Chrome updates are automatically downloaded by browsers and installed on browser restarts. (or not as the case may be............)
 
By the end of Pwn2Own, at least $420,000 of the $500,000 prize fund will have been presented as prizes.

Today, the attention moves on to Google's Pwnium competition, with a $3.14159 million prize fund and up to $150,000 prizes for exploits that survive reboots.

http://www.h-online.com/security/news/item/Pwn2Own-ends-with-all-attackers-winning-1819164.html

More Mozilla info here

[menotu]

Andy Greenberg, Forbes Staff

Google Offers $3.14159 Million In Total Rewards For Chrome OS Hacking Contest

Google has never been stingy when it comes to paying for information about security vulnerabilities in its products. Now it’s offering an especially large–and especially nerdy–sum of money.

At its third Pwnium hacking competition in Vancouver in March, the company is ponying up a total of $3.14159 million in prizes for hackers who can demonstrate critical security vulnerabilities in its Chrome OS operating system running on a Samsung Series 5 550 Chromebook, according to a notice posted Monday on its Chromium blog. Any participant who can take over a Chromebook user’s browser or entire computer via a malicious Web page can earn a $110,000 payout. And if the hacker can maintain persistent control over the system between reboots of the machine, he or she can win $150,000.

Those prizes are a significant bump over Google’s already generous rewards for hackers who demonstrate flaws in its products and share information to help fix them. Though the total, pi-sized bounty is mostly a marketing gimmick–Google has only ended up paying out a few hundred thousand dollars of its $1 and $2 million dollar total offerings in previous Pwniums contests – its $150,000 reward is $90,000 more than it’s offered in the past for any single hack.

Correction: A previous version of this story stated that the reward was $30,000 more than Google had offered for a single hacking technique in the past. In fact, its maximum payout was $60,000 for a successful Chrome exploit.

http://www.forbes.com/sites/andygreenberg/2013/01/28/google-offers-3-14159-million-in-total-rewards-for-chrome-os-hacking-contest/

==================================================
Thursday, March 7, 2013

Stable Channel Update

The Stable channel has been updated to 25.0.1364.160 for Windows, Mac, and Linux. This release contains security fixes.

Security fixes and rewards:

Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

    [180763] High CVE-2013-0912: Type confusion in WebKit. Credit to Nils and Jon of MWR Labs.

http://googlechromereleases.blogspot.co.uk/2013/03/stable-channel-update_7.html

[Just17]

I did not see any results from the OS X Mountain Lion OS, nor as has been previously reported nothing about Linux.

It seems rather odd to me that Win 7 & 8 were given space in the article ... and results ...  that neither OS X nor Linux featured in results ....  with no mention of Linux at all.

... seems rather odd ...

[Serj]

Why weren't any Linux systems used?

No one wanted to get a headache 

Absolutely. Even for money.
 

[menotu]

Sarah Perez - March 8th, 2013

No Winning Exploit Found For Chrome OS At Annual Hacking Competition, Pwnium 3

A Google spokesperson confirmed the Pwnium 3 hacking contest completed without a winning entry, via the following statement:

Pwnium 3 has completed and we did not receive any winning entries. We are evaluating some work that may qualify as partial credit. Working with the security community is one of the best ways we know to keep our users safe, so we’re grateful to the researchers who take the time to help us in these efforts.

http://techcrunch.com/2013/03/08/no-winning-exploit-found-for-chrome-os-at-annual-hacking-competition-pwnium-3/