On the heels of last summer's NSA spying stories, which are still going strong, security has become the focus of even the most careless of computer users. Consumers who, as little as a year ago, considered adding a capital letter into their password to be additional security are now considering external backup services, password locker programs, and encryption protocols. The trust of the average consumer has been shaken and changes are being made.
But what happens when consumers lose faith in the browsers the enable much of the daily activates on the web? How vulnerable are we to zero-day attacks from determined hackers? If the last Pwn2Own hacking competition is any indication, you may not want to know.
Pwn2Own is a hacking contest, sponsored by HP's Zero Day Initiative, which is designed to challenge security professionals to demonstrate vulnerabilities and flaws in popular consumer and enterprise software. The Pwn2Own contest began in 2007 as a demonstration at the CanSecWest security conference and has expanded to include prizes of over $100,000 for the most innovative exploits.
The rules of Pwn2Own change with the year as threats to software change. Currently, the competition can cover most browsers, operating systems, mobile device platforms, and other software types like plugins. For a team to be successful in demonstrating a vulnerability, as well as eligible for the prize money, hacks must be new techniques or processes that exploit previously unknown issues.
While the existence of new and creative vulnerabilities in software is not much of a story, in itself, the fact that in this single contest all of the major browsers were compromised, is.
According to the results of the second day of Pwn2Own, zero-day exploits were demonstrated against Google Chrome, Microsoft Internet Explorer, Apple Safari, Mozilla Firefox, as well as Adobe Flash Player. This follows successful assaults on Internet Explorer 11, Firefox, Flash Player, and Adobe Reader from the previous day.
All exposed vulnerabilities and techniques in exploiting them are shared with the venders of the effected software or systems.
The total awards for the successful exploits came to nearly a million dollars paid out to all of the winning teams.
How does this affect consumers?
Zero-day exploits will always be a threat to systems and software as long as there are people interested in exploiting strangers for money or power. The only way to protect against zero-day attacks is to be vigilant, educated, and aware of the software you use in your everyday life and always install security patches as they are made available.