Pwn2Own Day 1: Hackers Earn $280k For Hacking Chrome, Flash, Safari

wiredmikey writes: Pwn2Own 2016 contestants hacked Apple's Safari Web Browser, Adobe Flash Player and Google Chrome, and earned more than $280,000 on the first day of the competition taking place this week alongside the CanSecWest conference in Vancouver, Canada. This is the first edition of Pwn2Own where contestants have been invited to escape a VMware virtual machine for a bonus of $75,000, though there has not been a successful exploit yet in this class by any contestant this week. It remains to be seen if contestants manage to surpass last year's total payout, when white hat hackers earned $552,000 at Pwn2Own.

VM escapes

[swb]

I keep waiting for someone to find a vulnerability in VMware that lets a VM keep running without appearing in inventory. Bonus points if it can vMotion itself and have access to the management side to manipulate networks.

Re:They're all guilty

[invictusvoyd]

They are crackers to be precise.

Wrong subsequent links

[kav2k]

All three links lead to the same article, which seems to be a copy&paste oversight.

I believe the second link was meant to be http://www.securityweek.com/ha... and the third http://www.securityweek.com/re...

Re:They're all guilty

[Lumpy]

No,

not all of them are white. Dont assume race man!

Re:They're all guilty

[Austerity+Empowers]

#saltinelivesmatter

Flash?

[Drathos]

I hope the prize for hacking Flash was like 5 bucks..

Talk about low hanging fruit...

Re:Very happy...

[castionsosa]

Virtualization is one of the biggest defensive tools we have against compromise. From being able to roll back or discard/spin up a VM if it is compromised to popping snapshots of disk and memory and scanning those for running malware, or just to keep bad stuff from trying to flash firmware to a real device like a bare metal hard disk, virtualization is a must.

My concern is that it isn't just the ESXi hypervisor that keeps the bad guys out. There are four main hypervisors out there that need to be looked at: ESXi, Hyper-V, Linux KVM, and Xen, with Xen giving way to KVM. There are also containers like LXC and Docker that are important as well. I can see KVM being more of an issue over time as OpenStack goes from "cool toy" to production quality.

The good thing is that hypervisors in general have a limited attack surface, run relatively few applications, and tend to have a better focus on security than general operating systems.

Re: How exciting!

[Gadget_Guy]

That's because no one uses it. Notice something about the targets? They all have enormous install bases.

Sigh. This is one of the excuses that people make when their preferred browser gets hacked first (especially if a Microsoft one wasn't hacked). The order in which targets and teams are scheduled by random draws.

The targets today included Adobe Flash on Microsoft Edge. That attack failed. Tomorrow, two other teams are scheduled to take on MS Edge, so may be they will have more success.

Re:Pwn2Own is too narrow in the scope

[Bert64]

Because browsers have a very large, very public attack surface and come from the desktop mentality where security wasn't even considered until recently...

Databases etc *should* have limited exposure to untrusted networks, and thus less attack surface - you typically interact with a frontend application rather than directly with the database for instance.

Webservers are obviously inherently public, but security on web servers has been a serious concern for a long time plus the typical web server is far less complex than a browser. Most web based vulnerabilities these days exist in individual applications rather than the web server software itself.