Once again, major browsers fell at the two-day security contest Pwn2Own. Security flaws in Google Chrome, Microsoft Edge, and Apple Safari were all successfully exploited. A total of $460,000 was awarded for 21 vulnerabilities across the three browsers as well as Windows, OS X, and Flash. Last year’s total was $557,500.
Pwn2Own has been held annually since 2007 at the CanSecWest security conference. The goal is to exploit widely used software and mobile devices with vulnerabilities that have not yet been publicly disclosed, in exchange for the device in question and cash prizes. The name is derived from the fact that contestants must “pwn” (another way to say “hack”) the device in order to “own” it (win it).
Of the trio, Chrome fared the best. Two attempts were made to hack Google’s browser: One failed and one was deemed a partial success. The successfully exploited vulnerability in Chrome had already been independently reported to Google, so it wasn’t given full points.
Edge and Safari meanwhile didn’t survive any attacks. Two attempts were made to hack Microsoft’s browser and three attempts were made to hack Apple’s browser. All attempts were successful (2/2 for Edge and 3/3 for Safari). The biggest cash prize for a single attempt was $85,000 for pwning Microsoft Edge.
Here’s the full breakdown for the 21 vulnerabilities:
- Microsoft Windows: 6
- Apple OS X: 5
- Adobe Flash: 4
- Apple Safari: 3
- Microsoft Edge: 2
- Google Chrome: 1 (duplicate of an independently reported vulnerability)
Operating systems are included in the list because the attackers exploited them to gain access outside of the browser. In fact, every successful attack at Pwn2Own this year achieved system or root privileges, which has never happened at the event before. Adobe Flash was included because it was unsurprisingly often used to circumvent browser security.
11 attempts were made in total this year by five teams:
- Tencent Security Team Sniper (KeenLab and PC Manager): 3/3
- 360Vulcan Team: 1.5/2
- JungHoon Lee (lokihardt): 2/3
- Tencent Security Team Shield (PC Manager and KeenLab): 1/2
- Tencent Xuanwu Lab: 0/1
If you’re curious about the teams and their attacks, security firm Trend Micro has recaps available for both days: