Once again, major browsers fell at the two-day security contest Pwn2Own. Security flaws in Google Chrome, Microsoft Edge, and Apple Safari were all successfully exploited. A total of $460,000 was awarded for 21 vulnerabilities across the three browsers as well as Windows, OS X, and Flash. Last year's total was $557,500.
Pwn2Own has been held annually since 2007 at the CanSecWest security conference. The goal is to exploit widely used software and mobile devices with vulnerabilities that have not yet been publicly disclosed, in exchange for the device in question and cash prizes. The name is derived from the fact that contestants must "pwn" (another way to say "hack") the device in order to "own" it (win it).
Of the trio, Chrome fared the best. Two attempts were made to hack Google's browser: One failed and one was deemed a partial success. The successfully exploited vulnerability in Chrome had already been independently reported to Google, so it wasn't given full points.
Edge and Safari meanwhile didn't survive any attacks. Two attempts were made to hack Microsoft's browser and three attempts were made to hack Apple's browser. All attempts were successful (2/2 for Edge and 3/3 for Safari). The biggest cash prize for a single attempt was $85,000 for pwning Microsoft Edge.
Here's the full breakdown for the 21 vulnerabilities:
- Microsoft Windows: 6
- Apple OS X: 5
- Adobe Flash: 4
- Apple Safari: 3
- Microsoft Edge: 2
- Google Chrome: 1 (duplicate of an independently reported vulnerability)
11 attempts were made in total this year by five teams:
- Tencent Security Team Sniper (KeenLab and PC Manager): 3/3
- 360Vulcan Team: 1.5/2
- JungHoon Lee (lokihardt): 2/3
- Tencent Security Team Shield (PC Manager and KeenLab): 1/2
- Tencent Xuanwu Lab: 0/1