Last week, on the second day of the Hewlett-Packard Zero Day Initiative (ZDI) Pwn2Own event, security researchers had continued to expose zero-day flaws in all major web browsers and software, including Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox and Adobe Flash.

Microsoft’s Internet Explorer browser was successfully exploited once on March 12 by the security research firm VUPEN and it was again compromised on March 13 by another security researcher team; Sebastian Apelt and Andreas Schmidt.

PWN2OWN

The ever popular Adobe Flash was exploited on both the first and second days of the event.  Once again by the team at VUPEN.  They exploited Adobe Flash on March 12.  The next day security researchers from Keen Team were able to exploit Adobe Flash also.  The Keen Team also exploited Safari, slated as the worlds most secure browser.  They were the only security researchers to do so. The group was able to execute a memory heap overflow, along with a sandbox bypass.

Not to be missed out on, Google’s Chrome Web browser was successfully exploited by VUPEN on March 13 with a use-after-free memory flaw, which enabled a sandbox bypass. While the IE, Chrome and Safari Web browsers were all attacked and exploited at Pwn2Own, the most exploited browser at the event, if scored by the total number of new zero-day exploits that were publicly confirmed was Mozilla’s open source Firefox browser.  On the first day of the event, Firefox was exploited three times and on the second day, it was exploited again.

HP awarded researchers $50,000 for each Firefox flaw that was disclosed at this year’s Pwn2own 2014. When Mozilla started their bug bounty program in 2004, they awarded researchers $500 for each critical security bug.  “In July of 2010, we increased the bounty payout to $3,000 because we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information…Since then, we have seen an increase in the total amount paid per year as well as interest from security researchers to get involved with the project,” said senior engineering manager of security and privacy at Mozilla, Sid Stamm.

HP awards $850,000 in total prize money at a Pwn2Own event.  They awarded $450,000 in prize money on the second day of Pwn2Own, adding to the $400,000 that the company awarded on the first day of the event.

If you have any sensible comments regarding this story, please leave your comments in the section below.

[Image via vesti-vesti]

SOURCE: http://www.eweek.com/security/pwn2own-2014-claims-ie-chrome-safari-and-more-firefox-zero-days.html