VANCOUVER – The prelude to the annual Pwn2Own contest between sponsor HP’s Zero Day Initiative and Pwnium contest sponsor Google produced not only zero-day exploits for Internet Explorer and Safari, but some skepticism about whether the exploits and details on the vulnerabilities were held for the contest.
The event, known as Pwn4Fun, featured researchers from the two companies who demonstrated exploits against previously unreported vulnerabilities in the Apple and Microsoft browsers. Successful exploitation resulted in more than $80,000 donated to the Red Cross of Canada.
Still, some experts have questioned how long the two companies knew about the vulnerabilities they exploited and questioned why they hadn’t reported them sooner.
Aaron Portnoy of Exodus Intelligence was the loudest among a chorus of critics who took to Twitter to condemn the contest and accused Google in particular of being critical in the past of companies for withholding details on vulnerabilities and exploits or sharing them only with customers.
“What angers me is the blatant hypocrisy originating from the Google team members who run Pwnium, Pwn4Fun and Pwn2Own against other researchers who have sat on 0day,” Portnoy said. “Watching Google take the moral high ground only when it is convenient angers me—and even more so the fact that nobody wants to call them on it.”
Google security engineer Chris Evans told Threatpost that Google had shared the vulnerability with Apple beforehand.
“Google has a policy of not withholding vulnerability details, and the vulnerabilities demonstrated today had already been reported to the vendor, Evans said. “This morning, we demonstrated exploits for these vulnerabilities as part of the competition.”
Google kicked off Pwn4Fun with a run at Safari running on a fully patched MacBook. The successful exploit was good for $32,500 to the Canadian Red Cross. An hour later, HP’s Jasiel Spelman, Matt Molinyawe, and Abdul-Aziz Hariri took down Internet Explorer, a zero day worth $50,000 to the same charity.
HP’s Zero Day Initiative purchased the two bugs, as well as all of the vulnerabilities to be exploited during the Pwn2Own contest; 15 successful exploits during the two-day event would result in close to $1.1 million in payouts.
Google did not share details on the Safari vulnerability. HP ZDI said it exploited a use-after-free vulnerability and a sandbox bypass to gain code execution with process continuation, meaning the exploit would not visually crash the browser, HP said. The company said it also disclosed six more IE zero day vulnerabilities to Microsoft.
“Thinking of user safety, it’s too soon to share details about the exploits or bugs they are based on. We do believe in open sharing within the security community so that we can all learn from each other and push internet security forward,” Evans said via email. “Accordingly, we’ll be publishing details on one of our blogs in the future.”
HP’s Brian Gorenc, manager of vulnerability research for the ZDI, told Threatpost that it was not withholding a zero-day vulnerability for use in the contest.
“We are responsibly disclosing several vulnerabilities and techniques at an event built around responsible disclosure,” Gorenc said. “While we will be demonstrating the exploit publicly, the techniques and vulnerability details will be kept private.”
Gorenc said HP ZDI will provide Microsoft with a white paper that includes a full analysis of the IE vulnerabilities exploited and techniques used in the contest, the same process Pwn2Own contestants must follow as well.
“Vendors are then given 120 days to fix the security flaws, a pretty significant window of time,” Gorenc said. “The time that ZDI spends analyzing all sorts of software helps to secure the internet – which is why contests like Pwn2Own are so important in helping the industry keep dangerous vulnerabilities out of the black market.”