Security Experts:

Connect with us

Hi, what are you looking for?



Pwn2Own 2016: Hackers Earn $460,000 for 21 New Flaws

Pwn2Own 2016

Pwn2Own 2016 has come to an end, with researchers earning a total of $460,000 in cash for disclosing 21 new vulnerabilities in Windows, OS X, Flash, Safari, Edge and Chrome.

Pwn2Own 2016

Pwn2Own 2016 has come to an end, with researchers earning a total of $460,000 in cash for disclosing 21 new vulnerabilities in Windows, OS X, Flash, Safari, Edge and Chrome.

On the first day, contestants earned $282,500 for vulnerabilities in Safari, Flash Player, Chrome, Windows and OS X. On the second day, Tencent Security Team Sniper took the lead after demonstrating a successful root-level code execution exploit in Safari via a use-after-free flaw in Safari and an out-of-bounds issue in Mac OS X. The exploit earned them $40,000 and 10 Master of Pwn points.

The same team received 15 points and $52,500 for a system-level code execution exploit in Microsoft Edge via an out-of-bounds vulnerability in Edge and a buffer overflow in the Windows kernel.

JungHoon Lee (lokihardt) also managed to demonstrate a system-level code execution exploit against Microsoft Edge by using an uninitialized stack variable vulnerability in Edge and a directory traversal in Windows. The exploit earned him 15 points and $85,000, which represents the biggest cash prize awarded in a single attempt.

Lee also took a crack at Google Chrome, but his attempt failed. Tencent Security Team Shield also had a failed attempt against Adobe Flash Player.

360Vulcan Team, which occupied the first position after the first day, did not earn any additional rewards on the second day.

Overall, Tencent Security Team Sniper earned the highest number of Master of Pwn points (38), for which the team will get an extra 65,000 ZDI points (worth $25,000) in addition to the $142,500 in cash awarded for their exploits. Lee walked away with the most money as his exploits helped him get a total of $145,000.

Pwn2Own 2016 is considered a success by organizers, with a total of 21 vulnerabilities found in Windows (6), OS X (5), Flash (4), Safari (3), Edge (2) and Chrome (1). It’s worth pointing out that while the Chrome exploit demonstrated by 360Vulcan Team worked, it’s considered only a partial success as the Chrome flaw they leveraged had been previously reported to Google.

The exploits demonstrated at Pwn2Own 2016, all of which achieved system or root privileges for the first time in the competition’s history, are concerning for the state of kernel security.

“As ZDI researcher Jasiel Spelman noted, researchers and attackers are likely focusing on the kernel in response to advances in sandboxing. It’s a truism in security that when you harden one area, attackers and researchers will move their attention to another one,” explained Christopher Budd, global threat communications manager at Trend Micro. “Based on Pwn2Own 2016, it appears that’s happening with a shift to focus on the kernel. This is also borne out by what we’re seeing in Linux lately: while Linux is outside the focus of Pwn2Own, we’ve seen a number of Linux kernel issues lately.”

Pwn2Own 2016 is the first edition of the hacking contest where researchers have been invited to escape a VMware virtual machine for a bonus of $75,000. However, none of the participants demonstrated a successful exploit in this class.

It’s worth noting that this year’s contestants earned nearly $100,000 less for their exploits compared to Pwn2Own 2015, when researchers walked away with more than $550,000.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.