By Philip Elmer-DeWitt
March 14, 2014

FORTUNE — Everybody’s Web software got “pwned” at the Pwn2Own hackers conference this week: Apple’s (AAPL) Safari, Google’s (GOOG) Chrome, Microsoft’s (MSFT) Internet Explorer, Mozilla’s Firefox and Adobe’s (ADBE) Reader and Flash.

Chrome was hacked by a French team from Vupen Security with a use-after-free vulnerability that affects both the WebKit and Blink rendering engines.

Safari was defeated by Liang Chen, one of a pair Chinese Keen Team hackers, using a heap-overflow-and-sandbox-bypass combination that took three months to perfect.

“For Apple, the OS is regarded as very safe and has a very good security architecture,” Chen told ThreatPost‘s Michael Mimoso. “Even if you have a vulnerability, it’s very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems.”

In a separate interview with CNET, Chen said that OS X is harder to attack than iOS 7.0 because Apple issues security updates for its desktop operating system more frequently than for its mobile OS.

The two-day event, sponsored by Hewlett-Packard (HPQ) and organized by the HP-owned Zero-Day Initiative, paid out $850,000 in prize money to eight teams of competitors, plus another $82,500 in charitable donations. The event was staffed by observers from Apple and the other companies, which will presumably now start patching those holes.

“I think the Webkit fix will be relatively easy,” Chen told Mimoso. “The system-level vulnerability is related to how they designed the application; it may be more difficult for them.”

CORRECTION: An earlier version of this story had the prize money wrong. Keen Team won $62,500 for pwning Safari and another $75,000 for an Adobe Flash exploit for a total of $137,500. Source: Pwn2Own 2014: Rules and Unicorns 

You May Like