Hackers have successfully compromised all major web browsers as part of the Pwn2Own contest at the CanSecWest security conference in Vancouver, Canada, with zero-day exploits demonstrated against Google Chrome, Microsoft Internet Explorer, Apple Safari, Mozilla Firefox, and Adobe Flash Player.
A group from French security research firm Vupen hacked Google Chrome by exploiting a use-after-free vulnerability that exists in both the WebKit and Blink rendering engines, and then successfully managed to bypass Chrome’s sandbox to execute code on the underlying PC.
George Hotz, known online as geohot, and security researchers Jüri Aedla and Mariusz Mlynski managed two separate exploits against Mozilla Firefox.
Researchers Sebastian Apelt and Andreas Schmidt demonstrated a browser-based exploit against IE, making use of two use-after-free vulnerabilities chained together along with a Windows kernel bug to execute remote code.
A hacking group known as Chinese Keen Team successfully exploited two vulnerabilities in Apple’s Safari browser to execute arbitrary code on a Mac running a recent version of OS X.
The successful hackers have earned themselves prizes worth more than $450,000 (£270,000) from disclosing their exploits to the companies involved, who will now develop patches to secure their software.
Photograph by Bill Burris