Thursday was another grim day for Internet security as contestants at the Pwn2Own hacker competition exploited flaws in Adobe's Reader and Flash programs, allowing them to take full control of the computers they ran on. Oracle's Java was also, once again, felled.
The exploits, which fetched more than $160,000 in prizes, were impressive because they pierced a wall of defenses erected by some of the brightest minds in the field of software engineering. Those defenses included an anti-exploit "sandbox," which Adobe engineers added to Reader in 2010 and have been improving ever since. The mechanism isolates Web content in a restricted container that's sealed off from sensitive operating-system functions, such as writing files to disk or making system changes.
Until last month, no active attack had successfully bypassed the Reader sandbox protection. On Thursday, the defense suffered another significant blow when George Hotz, who hacked Sony's PlayStation 3 in 2010 at age 21, was also able to circumvent the Reader sandbox. The feat won him $70,000.
"The first thing I did was break into the sandbox, the next thing I did was break out," Hotz said, according to a tweet issued by members of Tipping Point, the HP division that sponsored the competition.
Flash harder to exploit than Java
Researchers from Vupen Security, a company in France that sells "weaponized" exploits to democratic governments, were also able to pierce key defenses included in Adobe's Flash Player, securing them $70,000.
"It's more expensive to create a Flash exploit than a Java one," Vupen CEO Chaouki Bekrar told Threatpost reporter Dennis Fisher. "Every time Adobe updates Flash, they're killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure."
Thursday's exploits, which also included new attacks on Oracle's Java, came a day after contestants brought down fully patched versions of Microsoft's Internet Explorer, Google's Chrome, and Mozilla's Firefox browsers. Developers for both Chrome and Firefox issued updates within 24 hours of patching the security flaws.
The operating system that runs Google's Chromebooks managed to survive a second, Google-sponsored hacking contest that was also held at the CanSecWest security conference, the same venue as Pwn2Own. "Pwnium," as the contest is called, offered prizes of $150,000 for compromises that persisted even after the device was rebooted, or $110,000 for more limited system compromises that used the device's Web browser. While the ability of the Chrome OS to emerge untarnished is a good sign, it's worth recalling that it has by no means been immune to serious attacks in the past.
reader comments
52