Tencent Security Team Sniper crowned Master of Pwn
Pwn2Own Researchers pulled off multiple OS X, Windows and web browser exploits at the latest Pwn2Own competition.
White hat hackers earned $460,000 in prizes for finding and exploiting 21 security vulnerabilities in widely used software.
Details of the flaws were privately shared with vendors so that their code that can be fixed and updates released to the public.
It’s a good win-win situation.
On the first day of the two-day competition, Safari, Chrome and Flash Player were all hacked, some on multiple occasions.
Day two began with two botched attempts to exploit vulnerabilities in Google’s Chrome browser and an abortive Adobe Flash exploit by Tencent Security Team Sniper.
Sniper bounced back with successful exploits against Microsoft’s Edge browser, and was crowned Master of Pwn for Pwn2Own 2016.
So, the hacking contest’s final tally: Microsoft Windows was exploited six times, Apple’s OS X five, Adobe Flash four, Apple Safari three, Microsoft Edge twice, and one for Google Chrome (although this attack was a duplicate of an independently reported vulnerability).
Pwn2Own 2016 was held over two days alongside the CanSecWest security conference and sponsored by Hewlett Packard Enterprise, Trend Micro, and the Zero Day Initiative.
Trend Micro’s reports on day one and day two of the competition provide more details.
Back in the day, the long-running Pwn2Own competition used to see experts race to compromise software to win prizes.
These days it’s more like an Olympic diving competition, where people take turns and earn plaudits for successfully pulling off more difficult attacks, which stand a higher chance of going awry.
The event was, by all accounts, a great success. Researchers get rewarded for their work and software developers get the heads-up on problems.
Some security experts did, however, note that the Wassenaar arrangement limited the involvement of EU researchers.
The Wassenaar arrangements cover the export of weaponry which, these days, includes cyber munitions.
Earlier suggestions for how to extend Wassenaar into cyber included a blanket ban on tools used by security researchers to test software – such as fuzzers – which would have being banned from export. ®
Sponsored: DevOps: hidden risks and how to achieve results