Security researchers demonstrated zero-day exploits against Google Chrome, Microsoft Internet Explorer, Apple Safari, Mozilla Firefox and Adobe Flash Player during the second day of the Pwn2Own hacking competition Thursday, racking up total prizes of $450,000, reports “PC World” (http://tinyurl.com/kvshedy).
For Safari, the team used two different exploit vectors. One vulnerability was a heap overflow in WebKit that enabled arbitrary code execution. The team then used this opening to use another exploit to bypass the application sandbox and run code as if it was user privileged.
A team from French vulnerability research firm Vupen hacked Google Chrome by exploiting a use-after-free vulnerability that affects both the WebKit and Blink rendering engines. The researchers then successfully bypassed Chrome’s sandbox protection to execute arbitrary code on the underlying system. On Wednesday, the first day of the contest that takes place every year at the CanSecWest security conference in Vancouver, researchers from the same team hacked Internet Explorer 11, Firefox, Flash Player and Adobe Reader.