Firefox 52.0.1

Mozilla engineers released Firefox 52.0.1 to patch a security flaw that came to light last Friday, in the Pwn2Own 2017 hacking contest.

All in all, it took Mozilla engineers only 22 hours from the time the bug was used during the competition, on Friday, March 17, and to when Mozilla published Firefox 52.0.1.

The vulnerability (CVE-2017-5428) was discovered and successfully used by the Chaitin Security Research Lab from Beijing, China, who exploited Firefox with an integer overflow and escalated privileges through an uninitialized buffer in the Windows kernel to get system-level privileges. Researchers won $30,000 for their exploit chain.

Bug discovered during Pwn2Own competition

The Pwn2Own competition is organized each year by Trend Micro, through its Zero Day Initiative (ZDI) group. This year was Pwn2Own's tenth edition, and Trend Micro was prepared to offer up to $1 million in money prizes.

Following the three-day competition, hackers took home $833,000 of the total money pool. The Chaitin Security Research Lab, the team who discovered the Firefox zero-day, finished third behind Qihoo's 360 Security team and Tencent Security's Team Sniper.

This year, participants hacked Windows, Windows Server, macOS, Ubuntu, Adobe Reader, Adobe Flash Player, Microsoft Edge, Safari, Firefox, and VMWare.

Researchers achieve "complete virtual machine escape"

The most creative exploit chain pocketed researchers $105,000 in one go. Researchers from Qihoo's 360 used a malicious website to trigger a heap overflow in Edge to escalate access to the underlying Windows OS, where they used a type confusion flaw to get kernel privileges, which they then used to exploit an uninitialized buffer and escape the VMWare Workstation virtual machine, gaining control over the underlying server/machine. That's as "h@ckz0r elite" as someone can get.

Below are the results from each Pwn2Own contest day in video format. For written results, check out the Trend Micro blog posts here (1), here (2), and here (3).