At Pwn2Own, Browser Exploits Getting Harder, More Expensive to Find

VANCOUVER–The Pwn2Own contest has evolved in many ways over the years, from new rules to new targets to larger prizes, but perhaps the one thing that has  changed the most is that the researchers who show up here every year hoping to go home with a bag full of money are having to spend more and more time finding and exploiting vulnerabilities in the browsers and plug-ins in play. The research team at VUPEN, which successfully compromised Internet Explorer 10 on Windows 8 spent several months finding the flaws they used and writing the expoits.

Browser exploitVANCOUVER–The Pwn2Own contest has evolved in many ways over the years, from new rules to new targets to larger prizes, but perhaps the one thing that has  changed the most is that the researchers who show up here every year hoping to go home with a bag full of money are having to spend more and more time finding and exploiting vulnerabilities in the browsers and plug-ins in play. The research team at VUPEN, which successfully compromised Internet Explorer 10 on Windows 8 spent several months finding the flaws they used and writing the expoits.

That’s a lot of time and resources to devote to what is essentially a game–albeit a very well-paying one–especially for a firm such as VUPEN, whose business is selling such vulnerabilities to private customers. However, Chaouki Bekrar, the CEO and head of research at VUPEN, said that the time and effort were worth it, thanks to the higher cash rewards in this year’s contest and the fact that the vulnerabilities and attack techniques they used aren’t the only ones they have.

“We thought a lot about whether to participate this year because the cost to create a reliable exploit is getting very high. We spent several weeks finding the vulnerability in IE 10 and several more weeks writing a reliable exploit,” said Bekrar. “Even the prizes at Pwn2Own don’t cover that cost. But we have other techniques.”

For their weeks of effort finding and exploiting the vulnerabilities in IE 10, VUPEN won $100,000 and there likely will be more to come later this week when the team takes a swing at Firefox 19 and Adobe Flash. Still, Bekrar said that finding reliably exploitable vulnerabilities in the major browsers and plug-ins such as Flash is becoming much harder.

“Writing exploits in general is getting much harder. Java is really easy because there’s no sandbox. Flash is a different thing and it’s getting updated all the time and Adobe did a very good job securing it. It’s more expensive to create a Flash exploit than a Java one. Every time Adobe updates Flash, they’re killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure.”

Java, of course, is a different story altogether. That technology has been the target of a number of public exploits for the last few months, and Bekrar said that’s no accident.

“We see that criminals are moving from Flash to Java. We don’t see many Flash exploits in the wild these days,” he said. I think Java they need to redesign. The code base is too big. Adding a sandbox in the browser won’t change anything.”

Bekrar also praised Google for the work that company’s security team has done in locking down Chrome in recent years.

“Chrome is probably the most hard to attack because of the sandbox,” he said. “The weakness in Chrome is Webkit and the strength is the sandbox. Probably one of the reasons Chrome is so secure is that the Google guys don’t just fix vulnerabilities but they’re proactive in fixing techniques and sandbox bypasses.”


Scenes from CanSecWest 2013


Suggested articles