Not a single browser was left standing

Could the world use yet another browser? Sure, if security is at the forefront of your mind. At the annual Pwn2Own hacking contest that took place this week, Internet Explorer, Firefox, Chrome, and Safari all fell prey to remote code execution exploits by the second day. Not to make a mountain out of a mole hill, this isn't unusual, as every year hackers gather at CanSecWest's conference to show off their skills for prizes.
Credit goes to JungHoon Lee (known online as lokihardt) for taking down a 64-bit build of Internet of Explorer with a time-of-check to time-of-use (TOCTOU) vulnerability allowing for read/write privileges, which netted him a prize bounty of $65,000.
Lee then took out Chrome with a buffer overflow race condition, followed by an info leak and race condition in two Windows kernel drivers to get SYSTEM access, earning him the biggest payout in Pwn2Own history -- $75,000 for the Chrome bug and an extra $25,000 for the privilege escalation to SYSTEM, plus another $10,000 from Google for a total of $110,000. That worked out to $916 per second for his two-minute demonstration, HP reports.
Before wrapping up work for the day, Lee hacked Apple's Safari browser using a use-after-free (UAF) vulnerability in an uninitialized stack pointer and bypassed the sandbox for code execution. His reward was $50,000, bringing his total for the day to $225,000.
In all, researchers earned $442,500 in bounties over the course of two days.
Follow Paul on Google+, Twitter, and Facebook


More...