Pwn2Own 2016 Results: Hacked Windows, OS X, Chrome, Edge, and Safari

This year, the Pwn2Own competition at the hacker conference CanSecWest 2016 brought a traditionally disappointing result for operating systems and browsers. Participants managed to successfully launch exploits for the found vulnerabilities in the latest versions of Windows and OS X, in Adobe Flash, as well as in all three browsers - Chrome, Edge and Safari. In total, hackers received awards in the amount of $ 460,000.

Firefox was not accepted to participate this year, because it "did not make major security improvements over last year," explained Brian Gorenc, manager of Vulnerability Research in HPE, sponsor of the event, along with TrendMicro.

Of all the browsers, Google Chrome suffered the least: only two teams tried to crack it, and only one achieved success, and the maximum gain was not awarded to it, because the vulnerability used was already known to Google developers, that is, it was not 0day.

Microsoft Edge opened twice, and Apple Safari - three times.

According to the rules of the competition , participants were required to disclose the 0day-vulnerabilities found to the organizers and developers. In OS X, hackers found 6 new 0day vulnerabilities. In this operating system traditionally find the most bugs.

On Windows with all patches and the active protection of the Enhanced Mitigation Experience Toolkit (EMET), 5 new zero-day vulnerabilities are shown. In Adobe Flash - 4.

Interestingly, this year the contest participants in each case received a system or root access, in previous years this was not the case.

The organizers published two videos for each of the days of the competition, with a summary and a brief description of the exploits.

Day 1


Day 2


All vulnerabilities will be closed in the next security updates for Windows, OS X, Chrome, Edge and Safari.