
The second and final day of the 2016 Pwn2Own competition wrapped up today.
By the afternoon an already exciting competition shifted into high-gear when two attempts failed in a row (a Pwn2Own first) and the top prize of Master of Pwn came down to the success or failure of the last attempt of the event by Tencent Security Team Sniper (KeenLab and PC Manager). After only two minutes, their demonstration succeeded making them the Master of Pwn for Pwn2Own 2016 with 38 Master of Pwn points and US$142,500. JungHoon Lee tied for second with 25 Master of Pwn points and US$145,000. 360Vulcan Team also tied for second with 25 Master of Pwn points and US$132,500. Tencent Security Team Shield came in fourth with 10 Master of Pwn points and US$40,000. All total, 98 Master of Pwn Points and US$ 460,000 were earned by these four teams.
Overall the event was very successful. It was the largest event in the history of Pwn2Own and resulted in 21 new vulnerabilities. For a full breakdown, see “Pwn2Own 2016 in Numbers” below.
As fun as the Pwn2Own competition is, ultimately it is serious business about understanding the current threats and weaknesses. This year’s competition succeeds in that regard. While it’s easy to focus on the state of browser security as shown at Pwn2Own, the real, important, technical story is about the state of kernel security. EVERY successful attack achieved SYSTEM or root privileges. This is a Pwn2Own first. It’s also a very worrying development. As ZDI researcher Jasiel Spelman noted, researchers and attackers are likely focusing on the kernel in response to advances in sandboxing. It’s a truism in security that when you harden one area, attackers and researchers will move their attention to another one. Based on Pwn2Own 2016, it appears that’s happening with a shift to focus on the kernel. This is also borne out by what we’re seeing in Linux lately: while Linux is outside the focus of Pwn2Own, we’ve seen a number of Linux kernel issues lately.
Hopefully, operating system vendors and maintainers will hear the message and give a renewed focus to the security of their kernels. This trend is likely to continue into the future.
Meanwhile, Pwn2Own 2016 has been a great event to kick off TippingPoint, ZDI and DVLabs joining Trend Micro.
Pwn2Own 2016 in Numbers:
Total prizes awarded:
|
|
Number of Attempts:
|
|
Number of Successful Attempts Against:
|
|
Percentage of Successful or Partially Successful attacks that achieved SYSTEM or root privilege: 100%
Contestant Success Standings:
|
|
Awards:
|
|
Number of new vulnerabilities:
|
|
Total number of new browser vulnerabilities: 6
Total number of new kernel vulnerabilities: 6
Day 2 Details:
|
|