Researcher Nets $225K In Pwn2Own Contest For Hacking Chrome, Safari And IE

It's always fun to see which security flaws get exploited at Pwn2Own, and this year's event has proven to be no exception. In fact, it could be considered to be one of the most exciting events to date, with JungHoon Lee exploiting three major browsers, and securing a record $110,000 payout for one of the flaws.

Starting the day off, JungHoon (aka: lokihardt) breached a time-of-check to time-of-use vulnerability in the 64-bit version of Internet Explorer, breaking out of the sandbox via a privileged JavaScript injection, allowing him to execute medium-integrity code. This flaw netted JungHoon $65,000.

His second proof-of-concept was the big one, worth $110,000. It affects both the stable and beta versions of Google Chrome; he was able to use a buffer overflow race condition in Chrome and also a race condition and info leak in the Windows kernel to gain SYSTEM access. The $110,000 is composed of two bugs; $75,000 for Chrome and $25,000 for the Windows kernel. The other $10,000 came from Google for the success of finding such a bug in the beta version of Chrome.

JungHoon Pwn2Own

Google and Microsoft weren't the only ones to fall to Lee: Apple was also hit. For his third prize, JungHoon exploited a use-after-free vulnerability in Safari to bypass the sandbox to execute code. This flaw was worth $50,000.

All told, JungHoon earned a staggering $225,000 for his efforts. His plans with the money? To move to a nicer part of his home country, South Korea. Not a bad idea. I'm sure this won't be the last we hear from him.