Search This Blog

Powered by Blogger.

Blog Archive

Labels

Google Chrome, Adobe Flash, Apple Safari exploited on first day of Pwn2Own

On the first day of the Pwn2Own 2016 hacking contest $282,500 was awarded to the researchers for finding new security flaws in Adobe Flash, Google Chrome, and Apple Safari, which is taking place in Vancouver, Canada.
On the first day of the Pwn2Own 2016 hacking contest $282,500 was awarded to the researchers for finding new security flaws in Adobe Flash, Google Chrome, and Apple Safari, which is taking place in Vancouver, Canada.

Hewlett Packard Enterprise and Trend Micro are jointly sponsoring this year's Pwn2own event.

 The 360Vulcan Team recieved $132,500 prize money for exploiting Adobe Flash and Google Chrome.

"The [Windows] kernel vulnerability was a use-after-free vulnerability," Christopher Budd,  global threat communications manager at Trend Micro, told eWEEK. "They successfully chained both of these to compromise the target at the system level."

The first exploit was Flash and Windows that earned $80,000 for the 360Vulcan team.
While the second hack was against Google Chrome that earned them $52,500.

JungHoon Lee, an Independent security researcher earned $60,000 for exploiting Apple's Safari browser. He found four vulnerabilities which includes issues in Safari as well as Apple's OS X desktop operating system.

"One of the vulnerabilities was in Safari, the other three were vulnerabilities within Mac OS X," Budd said.

Tencent Security Team Shield is the other team which won  $40,000 for an exploit against Apple Safari. They also earned $50,000 after attacking Flash with an out-of-bounds vulnerability, and for an infoleak vulnerability and a use-after-free vulnerability in the Windows Kernel to get SYSTEM access on the machine.

There is an award for reseacher who is able to execute a hypervisor escape from the VMware Workstation virtual machine on which the Windows-based browsers will be running, but unfortunately no security researchers even dared to attempt.

It's a new vector for attack, and one that can be particularly challenging," Budd said. "Given the amount of time required for adequate research, it's not surprising that no one has signed up this year. However, we do expect to see people sign up for this next year."
Share it: