[Swordmaker]

These vulnerabilities and exploits represent months of work for the hackers who demonstrate them and are not the effort of just a few minutes at the conference. The code used and flaws will be disclosed to the publishers responsible so the flaws can be quickly closed before publication.

[Paladin2]

Just another “overnight success”....

[Swordmaker]

Day 1: The Details

1. JungHoon Lee (lokihardt): Demonstrated a successful code execution attack against Apple Safari to gain root privileges. The attack consisted of four new vulnerabilities: a use-after-free vulnerability in Safari and three additional vulnerabilities, including a heap overflow to escalate to root. This demonstration earned 10 Master of Pwn points and US$60,000.
2. 360Vulcan Team: Demonstrated a successful code execution attack against Adobe Flash using a Flash confusion bug with use-after-free vulnerability in the Windows Kernel to run code in the SYSTEM context. This demonstration earned 13 Master of Pwn points and US$80,000.
3. Tencent Security Team Shield (PC Manager and KeenLab): Demonstrated a successful code execution attack against Apple Safari to gain root privileges using two use-after-free vulnerabilities, one in Safari and the other in a privileged process. This demonstration earned 10 Master of Pwn points and US$40,000.
4. 360Vulcan Team: Demonstrated a successful code execution attack against Google Chrome in the SYSTEM context. The attack used four vulnerabilities: two use-after-free vulnerabilities in Adobe Flash, one use-after-free vulnerability in the Windows Kernel and an out-of-bounds vulnerability in Google Chrome. This was a partial win due to the Google Chrome vulnerability being a duplicate of a previous, independent report to Google. This demonstration earned 12 Master of Pwn points and US$52,500.
5. Tencent Security Team Sniper (KeenLab and PC Manager): Demonstrated a successful code execution attack against an out-of-bounds vulnerability in Adobe Flash that use an infoleak vulnerability and a use-after-free vulnerability in the Windows Kernel to achieve SYSTEM context. This demonstration earned 13 Master of Pwn points and US$50,000.
6. Tencent Xuanwu Lab: Adobe Flash in Microsoft Edge: This attempt failed.

[dayglored]

> The code used and flaws will be disclosed to the publishers responsible so the flaws can be quickly closed before publication.

That's the responsible way for a hacker to do it. Kudos, not only on their months of research work, but also on their ethics.

[TheBattman]

And of course- where are the testing criteria listed? What specific devices are being “hacked”? What is turned on or off in the built-in and default security settings? Are the hackers given direct access to the devices?

I’m all about security - but some of these “tests” in the past really were more about social engineering (like so many Windows-based exploits) than actual flaws.

Inquiring minds want to know...