[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Pwn2Own carnage continues as exploits take down Adobe Reader, Flash
By Dan Goodin
March 8, 2013
Thursday was another grim day for Internet security as contestants at the
Pwn2Own hacker competition exploited flaws in Adobe's Reader and Flash
programs, allowing them to take full control of the computers they ran on.
Oracle's Java was also, once again, felled.
The exploits, which fetched more than $160,000 in prizes, were impressive
because they pierced a wall of defenses erected by some of the brightest minds
in the field of software engineering. Those defenses included an anti-exploit
"sandbox," which Adobe engineers added to Reader in 2010 and have been
improving ever since. The mechanism isolates Web content in a restricted
container that's sealed off from sensitive operating-system functions, such as
writing files to disk or making system changes.
Until last month, no active attack had successfully bypassed the Reader sandbox
protection. On Thursday, the defense suffered another significant blow when
George Hotz, who hacked Sony's PlayStation 3 in 2010 at age 21, was also able
to circumvent the Reader sandbox. The feat won him $70,000.
"The first thing I did was break into the sandbox, the next thing I did was
break out," Hotz said, according to a tweet issued by members of Tipping Point,
the HP division that sponsored the competition.
Attend #HITB2013AMS April 8th - 11th in Amsterdam.
Featuring over 42 international speakers and keynotes
by Bob Lord and Edward Schwartz http://conference.hitb.org