Chrome OS may have survived a barrage of attacks at Pwnium 3 but Windows and Windows browsers have not been so lucky. At Pwn2Own, a hacker competition sponsored by HP, hackers were able to exploit vulnerabilities in Internet Explorer 10 on Windows 8, Chrome on Windows 7, and Firefox on Windows 7 which allows the hackers to bypass sandboxes and gain access to the whole system.
VUPEN Security, a firm popular for selling instead of disclosing exploits it finds, was utilized two zero-day exploits to “pwn” Internet Explorer 10 on Microsoft Surface Pro tablet running Windows 8. The hack allowed VUPEN to bypass security sandboxes and gain full access to Windows 8. VUPEN made $100,000 from the competition for this hack.
VUPEN was also able to exploit Firefox 19, Flash, and Java on Windows (I believe Windows 7 but I am not sure) which allows system access and for which they made $60,000, $70,000, and $20,000 respectively. (Note how a Java exploit is worth significantly less than other exploits. Subtle hint, anyone?)
Another firm, MWR Labs, performed a hack on Chrome 25 on Windows 7. Utilizing “previously undiscovered vulnerabilities”, MWR Labs’ exploit was executed via a driveby attack on a booby-trapped website which allows MWR Labs to bypass Chrome’s security sandbox. Combined with a vulnerability in Windows 7 kernel, MWR Labs was able to gain full access to the computer.
Aside from that, George Hotz was able to exploit Adobe Reader XI ($70,000 prize) on Windows and three other hackers were also able to individual exploit Java on Windows — one of them even did it remotely.
For what it is worth, Mozilla and Google have already pushed out updates to Firefox and Chrome to fix the vulnerabilities used in Pwn2Own. Status of patches for the other vulnerabilities is unknown.
…I knew I should have bought a Mac. Just kidding!
[via ArsTechnica, HP, image via mightyohm]