[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Pwn2Own carnage continues as exploits take down Adobe Reader, Flash


By Dan Goodin
Ars Technica
March 8, 2013

Thursday was another grim day for Internet security as contestants at the Pwn2Own hacker competition exploited flaws in Adobe's Reader and Flash programs, allowing them to take full control of the computers they ran on. Oracle's Java was also, once again, felled.

The exploits, which fetched more than $160,000 in prizes, were impressive because they pierced a wall of defenses erected by some of the brightest minds in the field of software engineering. Those defenses included an anti-exploit "sandbox," which Adobe engineers added to Reader in 2010 and have been improving ever since. The mechanism isolates Web content in a restricted container that's sealed off from sensitive operating-system functions, such as writing files to disk or making system changes.

Until last month, no active attack had successfully bypassed the Reader sandbox protection. On Thursday, the defense suffered another significant blow when George Hotz, who hacked Sony's PlayStation 3 in 2010 at age 21, was also able to circumvent the Reader sandbox. The feat won him $70,000.

"The first thing I did was break into the sandbox, the next thing I did was break out," Hotz said, according to a tweet issued by members of Tipping Point, the HP division that sponsored the competition.


Attend #HITB2013AMS April 8th - 11th in Amsterdam.
Featuring over 42 international speakers and keynotes
by Bob Lord and Edward Schwartz http://conference.hitb.org