The final scores for the two-day Pwn2Own security penetration competition are in, and it's been a bumper year for researchers: 21 previously-unpublished bugs successfully exploited across seven software packages, with a total payout of nearly $560,000.
Taking place alongside the annual CanSecWest security conference, Pwn2Own asks security researchers to attempt to exploit popular browsers and operating systems on brand-new hardware. Researchers are able to use any vulnerability to do so, so long as it has not already been made public. The rewards: taking home the hardware on which the exploit was run, hence 'pwn to own,' as well as cash prizes from sponsors HP and Google.
The first day of last week's event was certainly eventful
: researchers successfully bypassed security protections within Adobe Flash and Reader, Mozilla Firefox and Microsoft Internet Explorer, enhancing their attacks on these browsers with privilege-escalation attacks on the underlying Windows operating system.
Day two was barely less impressive, with event sponsor HP reporting further successful attacks on Google's Chrome browser, Mozilla's Firefox and Apple's Safari browser plus the underlying OS X operating system. In total, the company has reported
the private disclosure of 21 previously-unknown security vulnerabilities: five in Windows, four in Internet Explorer 11, three each in Mozilla Firefox, Adobe Reader and Flash, two in Apple Safari and one in Google Chrome. Between the event prizes and additional fees paid out under Google's own security bounty programme, researchers received $557,500 for their efforts.
The vulnerabilities used to attack the systems have, as the rules of Pwn2Own require, been communicated privately to the respective vendors and will not be made public until they have had a chance to issue patches.