How can I know what your “favorite browser” is? It doesn’t matter, really; if it’s any one of the four most popular browsers — Chrome, Internet Explorer, Firefox, or Safari — it’s just been successfully exploited.
This past week marked the 8th annual Pwn2Own, where security researchers come from near and far to flex their talents. The goal? Demonstrate exploits on the latest builds of popular browsers, get a pile of cash in return.
The good news: because of the nature of the competition, none of the specifics of these exploits are made public until the companies behind the browsers get a chance to patch things up. So while the bugs being exploited here might be lurking in your browser, you’re probably not in danger of actually getting nailed by them before they’re cleaned up.
Mozilla, for example, tells me they’ll have Firefox patched by the end of today. None of the other browser makers had responded to our requests for comment at the time this was published.
The definition of “exploit” in Pwn2Own is pretty straight forward: “modify the standard execution path of a program or process in order to allow the execution of arbitrary instructions”.
In other words: break through a browser’s security systems, make it run code that it really isn’t supposed to. No user interaction is allowed, beyond “the action required to browse to the malicious content”.
Each researcher has 30 minutes to demonstrate their exploit on a machine they’ve never touched, with each machine running a fully-patched version of its operating system. To be clear: most of these bugs are the result of days/weeks of research — they’re not something the researchers unearthed in their 30 minute demo window.
Here’s how each browser fared:
- 4 bugs were demonstrated in Internet Explorer (tested on Windows 8.1)
- 3 bugs were demonstrated in Mozilla Firefox (tested on Windows 8.1)
- 2 bugs were demonstrated in Safari (tested on OS X Yosemite)
- 1 bug was demonstrated in Chrome (tested on Windows 8.1)
(Note: Before anyone says “Hah! Good thing I run Opera!”, remember that Opera has been based on Chrome/Chromium since May of 2013. So Chrome bugs likely affect Opera, too.)
Meanwhile, researchers also demo’d exploits across Adobe Reader, Flash, and Windows itself.
That last browser bug, the one found in Chrome, actually resulted in the biggest payout in the contest’s history: a staggering $110,000. Chrome already has the biggest payout of any of the browsers because it’s notoriously hard to exploit — but the researcher, JungHoon Lee, scored some bonus cash for style. He got $75k for the initial bug, $25k for getting his code to run at a system level, and another $10k because the bug also works in the beta build of Chrome.
JungHoon was also the researcher behind one of the bugs found in Safari ($50k) and one of the bugs in IE11 ($65k), netting him a total of $225,000 for the day. Not a bad pay day.
At the end of the 2-day competition, a total of $557,500 was paid out to participants.