Research teams Wednesday cracked Microsoft's IE10 (Internet Explorer 10), Google's Chrome, and Mozilla's Firefox at the Pwn2Own hacking contest, pulling in more than $250,000 in prizes.
Earlier in the day, a solo hacker exploited Oracle's Java to win $20,000.
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
Vupen, a French vulnerability research and bug-selling firm that took first place at Pwn2Own last year, brought down IE10 running on a Windows 8 powered Surface Pro tablet by exploiting a pair of flaws.
"We've pwned [Microsoft's] Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass," Vupen announced on Twitter Wednesday afternoon.
HP TippingPoint, whose ZDI (Zero Day Initiative) bug bounty program is co-sponsoring Pwn2Own this year -- Google has also pumped money into the contest -- confirmed the Vupen hack in a tweet of its own.
According to Pwn2Own's rules, which were dramatically revised from 2012's challenge, the first researcher or team of researchers to hack IE10 on Windows 8 wins a $100,000 cash prize, plus the machine hosting the browser target.
Toward the end of the day, Vupen followed up with an exploit of Firefox 19 on Windows 7, collecting another $60,000.
Pwn2Own started Wednesday at the CanSecWest security conference in Vancouver, British Columbia, and will run through Friday.
Also on Wednesday, a two-man team from MWR Labs, an arm of UK-based MWR InfoSecurity, hacked Chrome 25 on Windows 7 by exploiting multiple "zero-day," or unpatched, vulnerabilities in the browser and operating system.
Like the Vupen hack of IE10, MWR Labs' exploit of Chrome resulted in a complete bypass of Windows anti-exploit "sandbox" technology. The MWR Labs researchers who found the bugs, built the exploits, and demonstrated their skills at Pwn2Own were Nils -- a young German who is known only by his first name -- and Jon Butler. Nils has a Pwn2Own history: He won $10,000 by hacking Mozilla's Firefox in 2010, and $15,000 the year before for exploiting Firefox, IE8 and Apple's Safari.
Nils and Butler described their Chrome hack in a brief blog post Wednesday, outlining how they defeated Windows' security defenses, including Address Space Layout Randomization and Data Execution Prevention.
For their work, Nils and Butler received $100,000.
At the opening of the contest, a pair of solo researchers -- James Forshaw, a principal consultant at Context Information Security in the U.K., and Joshua Drake of Accuvant -- exploited Oracle's Java. Forshaw, who took his jabs first, won $20,000, Pwn2Own's lowest-priced prize. Vupen also successfully hacked Java 7 with a vulnerability and exploit of its own.
In a departure from the original rules, ZDI said that it would purchase all successful vulnerabilities and their associated exploits from researchers, even those that were not awarded prizes. It did not say how much hackers would earn by selling such secondary flaws: ZDI and other bug bounty programs typically are tight-lipped about what they pay.