CanSecWest – PWN2OWN overview – Update

The CanSecWest security conference in Vancouver in currently under way. In addition to their normal presentation lineup CanSecWest also hosts the PWN2OWN competition organized by ZDI where researcher’s bring their exploits and try them against the latest software versions. The competition is both technically challenging and politically loaded – two  years ago research company VUPEN made it into the headlines when they said they would not sell their Chrome exploit to Google for even 1 Million US Dollars.

This year the controversy was around Google and ZDI themselves entering the competition, which some of the other competitor thought unfair. All prize money from these exploits where Google exploited Safari and ZDI Internet Explorer was donated to charity – the Red Cross Canada.

On Day 1 the other competitors were successful as well:

• VUPEN exploited Adobe Reader XI, Adobe Flash, Mozilla Firefox and Internet Explorer 11 on Win 8.1.
• Mariusz Mlynski exploited Mozilla Firefox
• Jüri Aedla exploited Mozilla Firefox

On Day 2 further successes:

• Keen Team exploited Safari and Adobe Flash
• VUPEN exploited Google Chrome
• George Hotz exploited Firefox
• Sebastian Apelt and Andreas Schmidt exploited Internet Explorer
• An anonymous researcher exploited partially Google Chrome

Out of the US$ 850,000 VUPEN claimed almost half: US$ 400,000 went to the exploit specialist from France.

Some surprises: Overall only one exploit attempt failed (against IE), even though VUPEN withdrew from two targets Safari and Java (another potential US$ 95,000), Java ended up making it through the contest without any exploit attempts and so did the combination Windows 8.1 plus EMET via IE11, codename Exploit Unicorn , which had a prize money of US$ 150,000 assigned to it. One more reason to look at EMET for your workstations.