Mozilla patched a zero day uncovered at Pwn2Own in Firefox in 22 hours on Friday.
Mike Mimoso and Chris Brook discuss the news of the week, including Pwn2Own 2017, Microsoft’s silence around February’s Patch Tuesday, and a nasty SAP bug.
On the first day of Pwn2Own 2017 hackers poked holes in Adobe Reader, Apple Safari, Microsoft Edge, and Ubuntu Linux.
Chrome 51.0.2704.79 for Windows, Mac, and Linux was released Wednesday and patched 15 vulnerabilities, including two high-severity flaws eligible for bounties
Mariusz Mlynski is having a May to remember, earning $30,000 in bounties from Google for vulnerabilities he discovered and disclosed, on top of another $15,500 earlier this month from the same program.
Google pushed out the latest version of Chrome Thursday afternoon, fixing five issues, four of them critical.
Hackers took down Apple Safari and Adobe Flash earning $282,500 in prizes on Wednesday, the first day of the annual Pwn2Own hacking challenge in Vancouver.
Last week computer hacking competition pwn2own once again took place at the CanSecWest conference in Vancouver.
During the competition, hackers and security researchers are challenged to exploit popular software and devices using previously unknown vulnerabilities.
Successful hackers win the device that they exploited, a cash prize, and a “Masters” jacket celebrating the year of their win.
News of ubiquitous software being hacked in such a short time can often leave us feeling despondent about the state of security but I believe that competitions such as pwn2own give us cause for optimism.
Cash prizes for hacking at competitions and bug bounty programs, such as those run by Google and Facebook, motivate hackers and researchers to use their skills to help improve security and not just exploit it.
As long as vulnerabilities are disclosed to the right parties when they are discovered, it helps to reduce the window of opportunity for malicious hackers to turn a profit.
Remember to update
While software manufacturers were likely hoping to come through pwn2own 2015 unscathed, most will now set about fixing and patching their products and services to mitigate these newly discovered threats.
Expect new security updates in the near future and remember to always keep your operating system and programs up to date.
Chrome got both its stable and beta versions hacked in just two minutes. Google paid $75,000 for just one buffer overflow in Chrome which allows an attacker to bypass the sandbox.
Apple’s Safari got also hit by using a use-after-free (UAF) vulnerability in an uninitialized stack pointer in the browser and bypassed the sandbox for code execution.
Mozilla Firefox was hit with an out-of-bounds read/write vulnerability leading to medium-integrity code execution.
A team of researchers showed their skills against Flash by using a heap overflow remote code execution vulnerability and then leveraging a local privilege escalation in the Windows kernel through TrueType fonts, bypassing all defensive measures. They were awarded $60,000 for the Flash bug and a bonus of $25,000 for the SYSTEM escalation. Another researcher exploited Flash by using a use-after-free (UAF) remote code execution vulnerability and sandbox escape directory traversal vulnerability in the Flash broker.
Adobe Reader was exploited twice through a stack buffer overflow – once for an info leak and again for remote code execution. The researcher leveraged an integer overflow to exploit the broker, netting him a cool $60,000 USD. For the day, that brings his total payout to $90,000 USD.
The final numbers for Pwn2Own 2015 are quite impressive:
5 bugs in the Windows operating system
4 bugs in Internet Explorer 11
3 bugs in Mozilla Firefox
3 bugs in Adobe Reader
3 bugs in Adobe Flash
2 bugs in Apple Safari
1 bug in Google Chrome
$557,500 USD bounty paid out to researchers
As with every Pwn2Own, all vulnerabilities were disclosed to their respective vendors in the “Chamber of Disclosures,” and each vendor is working to fix these bugs through their own processes.
Two researchers took down the four major browsers, Internet Explorer, Firefox, Chrome, and Safari yesterday as Pwn2Own wrapped up in Vancouver.