Young Hackers Win Big Bucks Crushing Your Web Browsers

JungHoon Lee, seated with MacBook, simultaneously hacks Google Chrome and Microsoft Windows. Credit: Paul Wagenseil/Tom's Guide

(Image credit: JungHoon Lee, seated with MacBook, simultaneously hacks Google Chrome and Microsoft Windows. Credit: Paul Wagenseil/Tom's Guide)

VANCOUVER — Every major Web browser was quickly hacked during the latest Pwn2Own contest here at the CanSecWest 2015 security conference, with the contestants walking away with more than half-a-million dollars in prize money.

Top honors went to a young Korean named JungHoon Lee, who took down the latest versions of Mozilla Firefox, Microsoft Internet Explorer and Google Chrome today (March 19) to go home with a whopping $225,000.

"He's targeting Google Chrome and using their most hardened version, and was able to not only compromise Google Chrome, but also compromise the Windows operating system and ended up with a shell in System, so he was able to control the whole machine," explained Brian Gorenc, a representative of Hewlett-Packard's Zero Day Initiative (ZDI) bug-hunting team, which co-sponsored the event with Google.

MORE: Best Antivirus Software

During Lee's Chrome attack, a member of the ZDI team navigated the latest beta version of Google Chrome for Windows to a Web page hosted on Lee's MacBook, and an exploit hidden in the page quickly took over the ZDI team's laptop. The ZDI team held up the laptop to show a command-line interface with system, or root, access.

"The base price for that category was $75,000," Gorenc said. "The addition of the system shell, or the system exploit, gained him another $25,000, and the fact that he was targeting the latest beta version of Chrome gained him an extra $10,000, as a reward from the Google Chrome security team."

Lee had already defeated Internet Explorer 11 that morning to win $65,000, and later in the afternoon, he would crush Apple Safari to win another $50,000.

A trio from China calling themselves 360 Vulcan Team defeated Internet Explorer 11 yesterday (March 18), but one bug in their exploit chain had previously been disclosed, so they won only $32,500.

Nevertheless, that team managed to beat the Internet Explorer on a 64-bit machine with Microsoft's protective Enhanced Mitigation Experience Toolkit fully enabled, an achievement that Gorenc called "amazing."

"As Microsoft takes these exploits and vulnerabilities apart," he said, "they can make improvements to their operating system, make improvements to their software, so that the end user, when they're using the Internet, will be more protected every day and the result will be less compromise in the future."

Adobe Reader and Adobe Flash both fell yesterday to two different teams, with one exploit of each gaining system privileges.

Each winner must immediately reveal his or her exploit in private to the software maker, who in turn works on patching it in the next software update. Such zero-day exploits, never before seen by researchers, are worth a lot of money, and browser makers are happy to pay to keep them out of the hands of the NSA or cybercriminals.

"We put the vendor and the researcher together and talk about how to fix the vulnerabilities, what the weaknesses are, what kind of patches they should implement to fix these types of issues," Gorenc said. "In the end, what we're doing is actually providing invaluable information to make sure the ecosystem and the software that's being used every day is hardened."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.