The annual Pwn2Own hacking event, sponsored each year by HP, took place again last week at the CanSecWest 2015 in Vancouver. As usual, all major browsers- including Chrome, Internet Explorer, Safari, and Firefox - were represented, and hackers were challenged to successfully exploit them for cash prizes.
In past events, the big winners were hacking teams that collaborated to execute well-crafted exploit strategies. But not this time. The big winner last week was Jung Hoon Lee from South Korea, who successfully and single-handedly brought down Safari, IE 11, and Chrome.
The hack of Google Chrome was particularly impressive. According to an article published in BGR:
"Using more than 2000 lines of code, Lee was able to take down both stable and beta versions of Chrome by exploiting a buffer overflow race condition in the browser. He then used an info leak and race condition in two Windows kernel drivers to secure SYSTEM access."
This particular feat netted Jung Hoon Lee $110,000. Of course, it wasn't easy - it took him all of two minutes to break Chrome.
The annual Pwn2Own event is always a reminder that web browsers cannot be trusted to provide protection against cyber criminals. In fairness, browsers were never designed to be security tools. And despite best efforts by vendors to harden their browsers, these applications will likely continue to be a primary attack vector used by cyber criminals to gain access to your corporate network.
Even more disturbing, browser-borne attacks often contain advance malware that is completely undetectable and able to easily bypass multiple layers of traditional security technologies. A recent report published by the Ponemon Institute revealed how massive this problem has become. Advanced malware attacks delivered through insecure web browsers have become a costly, disruptive security problem that organizations are becoming desperate to solve.
Good guys like Jung Hoon Lee are helping to improve browser security by discovering vulnerabilities, but as long as code from unknown web sources is rendered inside your network, browsers will never be completely secure. Learn more about browser malware and the risks that these attacks can pose to your organization. A complimentary copy of the full Ponemon report is available here.