Day two of the Pwn2Own competition at CanSecWest was again successful for French Vupen security, as they succeeded in exploiting Adobe Flash on Internet Explorer 9 on Windows 7 by chaining together three zero-days (an overflow, a ASLR bypass technique and a IE9 sandbox memory corruption) and earning themselves another $70,000.
George Hotz exploited Adobe Reader XI (also on IE 9 on Win7), and Ben Murphy – the last contestant to target Java – has also managed to earn a prize even though he wasn’t there, because James Forshaw, a winner from the previous day, agreed to serve as proxy and demonstrate the attack.
All in all, ZDI has awarded over half a million dollars in cash prizes and, of course, the compromised laptops and ZDI reward points.
The Google financed Pwnium hacking contest – also held at CanSecWest – this year requires contestants to “break” Chrome OS but has so far not witnessed a successful exploitation.
In the meantime, Mozilla has already fixed the use-after-free zero-day flaw exploited yesterday by Vupen Security, and Google has issued a Chrome update that fixes the flaws discovered by the MWR Labs team.