The annual Pwn2Own contest, a regular feature of Vancouver's CanSecWest security conference in which hackers and crackers compete to be the first to breach the security on up-to-date computers, has its first results - and they're not good news for users of Chrome, Firefox or Internet Explorer.
Each year, Pwn2Own puts major cash prizes up for those who can breach the security of fully-patched consumer systems, including Windows 8, Windows 7, and OS X, by exploiting vulnerabilities in the systems' web browsers or relevant plugins. As well as cash - up to $100,000 for the top-tier Google Chrome or Microsoft Internet Explorer 10 targets - winners take home the hardware on which the software was running, hence the name of the event.
It's a popular event, and one which typically unveils flaws in each browser - and hopefully before the hordes of ne'er-do-wells that haunt the internet know about them. In 2010, the event saw fully-patched installations of Apple's Safari browser on OS X, Internet Explorer 8 and Firefox
exploited by security researchers, along with an iPhone that had its private data sucked up by a previously unknown vulnerability in its stock web browser.
This year, the prizes are bigger than ever: the first hacker able to crack fully-patched versions of Google Chrome on Windows 7 or Internet Explorer 10 on Windows 8 can pick up a cool $100,000, while Internet Explorer 9 on Windows 7 gets a still-impressive $75,000. Mozilla Firefox, running on Windows 7, gets a security type $60,000 for their trouble, while Apple's Safari browser on a fully-patched OS X Mountain Lion install gets $65,000. Additionally, those who use browser plugins to exploit the system - rather than attacking a vulnerability in the browser directly - can pick up $70,000 from Adobe for a flaw in Flash or Reader XI, while Oracle is fronting $20,000 for anyone who finds a previously unknown vulnerability.
So far, the hackers are winning: in the first day of the contest, Chrome, Firefox and Internet Explorer 10 all fell to the researchers attacks. VUPEN, a company which has been criticised in the past for selling vulnerability code to the highest bidder
, was able to secure the prizes for Internet Explorer 10 on Windows 8, Firefox on Windows 7 and - to nobody's great surprise, given the software's track record - Oracle's Java. In a break with tradition, the company also agreed to report the vulnerabilities to each software house so the flaws could be fixed - although it did not state outright that it would not also be adding the zero-day exploits to its price list for others to buy.
Chrome running on Windws 7, patched just days before the security conference began, fell to a researcher from MWR InfoSecurity which found two zero-day vulnerabilities which allowed it to bypass in-built protections. As the rules of the competition require, details of these vulnerabilities have been passed on to Google for patching.
The only tested to remain standing was Apple's Safari running on an up-to-date OS X Mountain Lion system. That's a surprise: in past events, Safari has typically been one of the first to fall. However, it's not a necessarily a reflection of the security of Apple's browser product: out of the software on trial, no researchers picked Safari as their target - meaning that the software has not actually proven itself against an active attack at the event. Meanwhile, the second day of the competition saw both of Adobe's products - Flash and Reader - fall to attacks.