Every year at the CanSecWest security conference in Vancouver, Hewlett-Packard (NYSE: HPQ) runs the Pwn2Own hacking competition where big cash prizes are delivered for browser exploits.

This year no browser proved to be unhackable. The big winner of the contest was South Korean security researcher JungHoon Lee, who developed exploits for Internet Explorer and Chrome on Windows as well as Safari on OSX. For that, he walked away with $225,000 in cash.

Lee’s attack on Chrome exploits a buffer overflow race condition in Chrome, then uses an info leak and race condition in two Windows kernel drivers to get SYSTEM access according to HP’s Security Research blog. This attack bypasses the anti-exploit mechanisms included in Chrome, such as sandbox and address space layout randomization which has made the browser one of the more secure browsers.

“With all of this, lokihardt managed to get the single biggest payout of the competition, not to mention the single biggest payout in Pwn2Own history: $75,000 USD for the Chrome bug, an extra $25,000 for the privilege escalation to SYSTEM, and another $10,000 from Google for hitting the beta version for a grand total of $110,000,” Pwn2Own organizers wrote in a blog post. “To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration.”

Lee also demonstrated a viable Internet Explorer 11 attack. This attack bypassed Internet Explorer’s sandbox through something called a time-of-check to time-of-use (TOCTOU) vulnerability, which allows for elevated execution of Java Script. This earned Lee another $65,000.

Finally, Lee demonstrated an exploit for Safari with a use-after-free (UAF) vulnerability in an uninitialized stack pointer in the browser and bypassed the sandbox for code execution.

Firefox was hacked on the first day of the contest using via a out-of-bounds read/write vulnerability leading to medium-integrity code execution vulnerability.

All of the exploits were disclosed to the vendors after the conference. The vendors will be given time to patch the exploits before the code is released to the public.

The post No Browser Was Safe at Pwn2Own 2015 appeared first on VR World.

So, even though Microsoft categorically denies doing anything of any sort, I and many of you know that most of what Microsoft does is usually through 3rd parties like SocialChorus that are contracted to take all of the blame for Microsoft in the event that they say something wrong or get caught doing something wrong. And as long as there’s no smoking gun, Microsoft is basically off the hook. So, it came as no surprise that Microsoft got caught trying to pay people for positive posts about Internet Explorer, a browser that is already on its way up from being considered the bottom feeder of the IT world.

However, TechCrunch recently discovered that a Twitter employee (and someone I follow on Twitter) recently stated that Microsoft tried to get him to post positive things about IE for money. As did Michael Arrington, one of the founding members of TechCrunch until he moved on to ‘bigger and better’ things.

Today Microsoft offered to pay me to blog about Internet Explorer. There’s not enough bitcoin in the world..

— Paul Stamatiou (@Stammy) June 17, 2014

So, naturally, Microsoft denied any wrongdoing and stated, “action by a vendor is not representative of the way Microsoft works with bloggers or other members of the media,” and that the “program has been suspended.”

But the truth is that Google has already caught on to what Microsoft has been doing and has notified both Microsoft and SocialChorus that they are investigating the manner and could penalize them for having done so. In fact, Google have penalized themselves for posting Chrome ads on Google and as a result for quite a bit of time Chrome was essentially impossible to search on Google. Sure, this is a merely procedural thing and Google will never fully block their own products from being seen, but you get the point. There is a very high chance Google could penalize both SocialChorus and Microsoft for having partaken in these activities and could result in more of a negative impact for IE than if they just let people use it and realize how much better it has gotten. I know I definitely like using it more now than I ever have in the past. (no, I did not get paid to say that)

The post Microsoft Pays People to Say Good Things About IE appeared first on VR World.

Browser wars are back, and they’re back in full strength: who is going to win? Mozilla Firefox leads the market share of alternative browsers and in some countries, such as Germany – enjoys leading market share. Google’s Chrome came out of beta, and then returned to beta status within the same year (1.0 beta becomes 1.0 – and 2.0 beta arrived this week) , while Apple made great progress forward with more stable and mature Safari. Version 4 is currently the leading browser in recently released Peacemaker, browser benchmark from “The Flying Finns” (Futremark).

So, what is Microsoft doing? Releasing its last internet browser based on current Internet Explorer technology. IE8 is the default web browser for Windows 7, but it is removable due to the completely new browser engine coming in late 2010.

IE8 was released some hours ago, and this version of “Exploder” will have to hold the fort for Microsoft until the next-gen technology debuts. If you want to try IE8, head over to official Microsoft’s Internet Explorer 8 download page or go to alternative sites such as TechPowerUp! or Softpedia.

The post Microsoft releases IE8: Last gasp or a fresh start? appeared first on VR World.