Is no browser safe? Security bods poke holes in Chrome, Safari, IE, Firefox and earn $1m

Big names fail, iOS kernel flaw found during hacking contests


The Pwn2Own and Pwnium hacking contests at the annual CanSecWest conference in Vancouver have earned security researchers over a million dollars in prizes, exposed 34 serious zero-day flaws in popular code, and earned over $82,000 for the Canadian Red Cross.

In each of the Pwn2Own and Pwnium competitions, contestants are challenged to exploit vulnerabilities in supposedly secure software to execute malicious code – and walk away with cash if their attacks are successfully demonstrated on stage. The techniques used to own a program are privately disclosed so that the bugs can hopefully be fixed.

HP TippingPoint's Pwn2Own competition netted researchers $850,000 as all the major browsers – Chrome, Safari, Internet Explorer and Firefox – fell to attacks within the 30-minute timeframe for each, along with Flash. Only Java held up to the time-limited attacks, although researchers attempting to crack Oracle's code did come up with some interesting techniques that just took too long.

"Bug bounty schemes like Pwn2Own are really now just an extension of proper software testing," Brian Gorenc, manager of vulnerability research for HP's Zero Day Initiative told The Register.

"It's about allowing your software to be picked over by skilled independents who may spot flaws that slipped through the quality control proves. It's well worth the prize money."

Meanwhile in Google's fourth Pwnium competition, one skilled cracker broke into the Chocolate Factory's Chrome OS running on an HP Chromebook 11, earning himself $150,000 and the subverted laptop. Another researcher got part way there and will receive a lesser award from Google for their efforts.

There was also a fun competition between Google and HP, dubbed Pwn4Fun, which raised $82,500 for the Canadian Red Cross and exposed some major flaws. Gorenc said staff at Google found six zero-day vulnerabilities in Microsoft code, as well as a kernel issue in Apple's iOS. ®


Keep Reading

If someone could stop hackers pwning medical systems right now, that would be cool, say Red Cross and friends

The rules of war that protect hospitals should extend into cyberspace

In a trial run, Google Chrome to corral netizens into groups for tailored web ads rather than target individuals

Analysis The third-party advertising cookie: Barely tolerated anymore. We can rebuild it, internet titan insists, we have the technology.

Last stop before MAUI: Xamarin Forms 5.0 released for cross-platform mobile, new features, new bugs

Microsoft's cross-platform .NET tools get a refresh, but with a relatively short life before newer tools sweep it away

Google's cross-platform UI toolkit has a Flutter on 'social development' with CodePen

Online editing support for Chocolate Factory's open-source dev framework

Dart 2.8 is out with a Flutter as Google claims to have solved the cross-platform dev puzzle

Material improvements in strategic framework for mobile, web and, tentatively, desktop apps

Open-source bug bonanza: Vulnerabilities up almost 50 per cent thanks to people actually looking for them

Can't fix flaws if you don't look for them

China’s digital currency finds its first cross-border payments buddy: Hong Kong

The possible plan to create a parallel financial system also adds bump-to-pay in new domestic trial

Cross-platform app toolkit Flutter lead Tim Sneath aims Dart at an ambient computing future

Interview 'We've made a deliberate attempt to build something that can share source code across all these environments'

Tech Resources

The State of Application Security 2020

Forrester analyzed the state of application security in 2020 and found over 75% of external attacks are attributed to web application and software exploits.

How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Webcast Slide Deck | Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Anatomy of a Private Cloud

Learn the key elements that combined, build a true Private Cloud

Biting the hand that feeds IT © 1998–2021