Pwn2Own 2016 has unabashedly left all tech giants in a state of abyss when it comes to desisting security threats. From operating systems to web browsers, everything was exploited by the researchers who competed against each other for the prize.
For the uninitiated, Pwn2Own is a competition that allows security researchers to exploit the vulnerabilities of web browsers for the past year. Winners are paid a substantial sum of money in the form of prize by tech blue chips like Google, Microsoft, Apple and Adobe.
Brian Gorenc, manager of Vulnerability Research at HPE mentioned that Firefox was not a part of the contest because it did not make any serious security improvements in the last year. The contest was sponsored by HPE and TrendMicro.
It takes months of preparation for the competition as researchers try to look for flaws in the operating systems and web browsers. At Pwn2Own, the researchers have 30 minutes to demonstrate their capabilities to hack and overcome the browser’s security. Whoever is able to successfully exploit the security before anyone else, wins the prize.
With lots of prizes being distributed, researchers have the opportunity to build up on their prize money quickly if they have the right abilities. Over $460,000 was distributed as prize money for 7 successful attempts that reported 21 new vulnerabilities.
The three browsers that were attacked were Google Chrome, Apple Safari and Microsoft Edge. It turns out that Chrome was the least vulnerable of the three. It was attacked twice by the researchers but it was exploited successfully just once. Even that attack did not fare very successfully because Chrome had already reported the attack to Google.
Additionally, the participants were able to reveal vulnerabilities in Windows and OSX too. Remarkably, the attackers were able to get system or root privileges – something that happened in the previous Pwn2Own events.
OS/Browser Vulnerabilities found
Microsoft Windows 6
Apple OSX 5
Adobe Flash 4
Apple Safari 3
Microsoft Edge 2
Google Chrome 1
The participating companies have been informed of the vulnerabilities and patches are expected to be released shortly.