Pwn2Own 2017 Results

The final day of competition within Pwn2Own 2017 took place on Friday, 17th March. Full details of how the individual teams performed and how many exploits were successful are available here , here and here.

In summary the following products were successfully exploited:

Adobe Flash
Adobe Reader
Apple Safari
Apple macOS (mostly the macOS kernel)(defined)
Microsoft Edge
Microsoft Windows kernel
Mozilla Firefox
Ubuntu Linux
VMware Workstation

The contest saw 51 vulnerabilities used and a total of USD$833,000 awarded to the contestants (a very large increase over last year’s USD$460K). As I noted last year, many vulnerabilities once again were present within the macOS and Windows kernels specifically:

Apple macOS kernel:
race condition (defined)
information disclosures (defined)
out of bounds (OOB) bug (defined)

Microsoft Windows kernel:
integer overflows (defined)
buffer overflows (defined)
uninitialised buffers (discussed here)
use-after-free (defined here and here)
information disclosures
out of bounds (OOB) bug
race condition

As before Microsoft and Apple need to do more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel to find and resolve vulnerabilities before they are exploited. It is a surprise this year again highlights this short coming which secure coding practices e.g. Microsoft’s SDL and Adobe’s SPLC (among others) were intended to reduce.

Of note is; Mozilla Firefox released Firefox 52.0.1 to resolve an integer flow vulnerability in less than 1 day after it’s disclosure during Pwn2Own; a fantastic response time.

Update: 28th March 2017:
On the 28th of March, VMware made available security updates to address the vulnerabilities discovered during Pwn2Own.

Apple have also made available updates (listed in this post) to resolve the vulnerabilities discovered in Pwn2Own 2017. It is unclear if all vulnerabilities are now addressed.

Update: 11th April 2017:
In late March, the Linux kernel vulnerability disclosed during Pwn2Own was resolved very quickly with Ubuntu also releasing their fix for this issue.

Adobe have released updates for Flash and Acrobat/Reader to address what appears to be 5 vulnerabilities in Flash and 6  in Acrobat/Reader (assuming near sequential CVEs and the team names attributed top them) disclosed during Pwn2Own.

We can again look forward to these vulnerabilities being addressed over the coming months; helping to make our products more secure.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s