Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Pwn2Own 2016: Hackers Earn $460,000 for 21 New Flaws

Pwn2Own 2016

Pwn2Own 2016 has come to an end, with researchers earning a total of $460,000 in cash for disclosing 21 new vulnerabilities in Windows, OS X, Flash, Safari, Edge and Chrome.

Pwn2Own 2016

Pwn2Own 2016 has come to an end, with researchers earning a total of $460,000 in cash for disclosing 21 new vulnerabilities in Windows, OS X, Flash, Safari, Edge and Chrome.

On the first day, contestants earned $282,500 for vulnerabilities in Safari, Flash Player, Chrome, Windows and OS X. On the second day, Tencent Security Team Sniper took the lead after demonstrating a successful root-level code execution exploit in Safari via a use-after-free flaw in Safari and an out-of-bounds issue in Mac OS X. The exploit earned them $40,000 and 10 Master of Pwn points.

The same team received 15 points and $52,500 for a system-level code execution exploit in Microsoft Edge via an out-of-bounds vulnerability in Edge and a buffer overflow in the Windows kernel.

JungHoon Lee (lokihardt) also managed to demonstrate a system-level code execution exploit against Microsoft Edge by using an uninitialized stack variable vulnerability in Edge and a directory traversal in Windows. The exploit earned him 15 points and $85,000, which represents the biggest cash prize awarded in a single attempt.

Lee also took a crack at Google Chrome, but his attempt failed. Tencent Security Team Shield also had a failed attempt against Adobe Flash Player.

360Vulcan Team, which occupied the first position after the first day, did not earn any additional rewards on the second day.

Overall, Tencent Security Team Sniper earned the highest number of Master of Pwn points (38), for which the team will get an extra 65,000 ZDI points (worth $25,000) in addition to the $142,500 in cash awarded for their exploits. Lee walked away with the most money as his exploits helped him get a total of $145,000.

Pwn2Own 2016 is considered a success by organizers, with a total of 21 vulnerabilities found in Windows (6), OS X (5), Flash (4), Safari (3), Edge (2) and Chrome (1). It’s worth pointing out that while the Chrome exploit demonstrated by 360Vulcan Team worked, it’s considered only a partial success as the Chrome flaw they leveraged had been previously reported to Google.

Advertisement. Scroll to continue reading.

The exploits demonstrated at Pwn2Own 2016, all of which achieved system or root privileges for the first time in the competition’s history, are concerning for the state of kernel security.

“As ZDI researcher Jasiel Spelman noted, researchers and attackers are likely focusing on the kernel in response to advances in sandboxing. It’s a truism in security that when you harden one area, attackers and researchers will move their attention to another one,” explained Christopher Budd, global threat communications manager at Trend Micro. “Based on Pwn2Own 2016, it appears that’s happening with a shift to focus on the kernel. This is also borne out by what we’re seeing in Linux lately: while Linux is outside the focus of Pwn2Own, we’ve seen a number of Linux kernel issues lately.”

Pwn2Own 2016 is the first edition of the hacking contest where researchers have been invited to escape a VMware virtual machine for a bonus of $75,000. However, none of the participants demonstrated a successful exploit in this class.

It’s worth noting that this year’s contestants earned nearly $100,000 less for their exploits compared to Pwn2Own 2015, when researchers walked away with more than $550,000.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.