Pwn2Own carnage continues as exploits take down Adobe Reader, Flash

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/security/2013/03/pwn2own-carnage-continues-as-exploits-take-down-adobe-reader-flash/

By Dan Goodin
Ars Technica
March 8, 2013

Thursday was another grim day for Internet security as contestants at the 
Pwn2Own hacker competition exploited flaws in Adobe's Reader and Flash 
programs, allowing them to take full control of the computers they ran on. 
Oracle's Java was also, once again, felled.

The exploits, which fetched more than $160,000 in prizes, were impressive 
because they pierced a wall of defenses erected by some of the brightest minds 
in the field of software engineering. Those defenses included an anti-exploit 
"sandbox," which Adobe engineers added to Reader in 2010 and have been 
improving ever since. The mechanism isolates Web content in a restricted 
container that's sealed off from sensitive operating-system functions, such as 
writing files to disk or making system changes.

Until last month, no active attack had successfully bypassed the Reader sandbox 
protection. On Thursday, the defense suffered another significant blow when 
George Hotz, who hacked Sony's PlayStation 3 in 2010 at age 21, was also able 
to circumvent the Reader sandbox. The feat won him $70,000.

"The first thing I did was break into the sandbox, the next thing I did was 
break out," Hotz said, according to a tweet issued by members of Tipping Point, 
the HP division that sponsored the competition.

[...]


______________________________________________
Attend #HITB2013AMS April 8th - 11th in Amsterdam.
Featuring over 42 international speakers and keynotes
by Bob Lord and Edward Schwartz http://conference.hitb.org