Two researchers on Thursday successfully hacked the four major browsers, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, at the Pwn2Own, the annual hacking contest in Vancouver.
In particular the Korean researcher Jung Hoon Lee earned $110,000 in just two minutes, the man used 2000 lines of code to take down both stable and beta versions of Chrome by exploiting a buffer overflow race condition in the browser.
Lee also hacked in the same day a 64-bit version of IE 11 exploiting a time-of-check to time-of-use (TOCTOU) vulnerability. The flaw exploited between the time a file property is checked and the time the file is used, allowed the research a privilege escalation. Lee awesome, because he closed the day exploiting a use-after-free vulnerability to take down Safari browser.
In just one day, Lee earned about $ 225,000 hacking the main browser. GREAT JOB!
Lee isn’t the unique expert that demonstrated the vulnerability of principal browsers. A researcher operating under the pseudonym ilxu1a hacked Mozilla browser. The researchers discovered an out-of-bounds read/write vulnerability through static analysis and by exploiting it he obtained a medium-integrity code execution. The same exploit did not work for Chrome.
In the following list are reported the list of bugs discovered in the principal browsers during the Pwn2Own hacking competition hosted by HP’s Zero Day Initiative and Google’s Project Zero:
The total amount of money paid to the researchers is $442,500 … I love the Pwn2Own competition because gives value to the knowledge and power to the research!
(Security Affairs – browser, Pwn2Own )