View Shell on Earth: From Browser to System Compromise
Pwn2Own is all about owning systems/devices—a test of technical skill to see who the best hacker is.
This year’s winning submissions showed who can get super-user (SYSTEM/root) privileges by compromising the security of browsers/browser plug-ins. Seven of eight entries targeted kernel weaknesses, regardless of OS; Apple and Microsoft were successfully owned. Among browser makers, Google fared best—being successfully exploited only once via an attack that abused a previously and independently reported vulnerability.
More than underscoring the state of browser security, however, the successful hacking attempts highlighted a serious security issue—how browsers and browser plug-ins can be used as effective attack vectors. As unknown vulnerabilities surface after every Pwn2Own contest, vendors can only up their game by having security in mind from the time they decide to create products. Vendors can use the proofs of concept that contestants use to improve their products’ security.