A team from Vupen, a French vulnerability research firm, ended Wednesday $300,000 richer, having hacked Adobe Flash, Adobe Reader, Firefox, and IE11 for a one-day foursome.
To attack Adobe Flash, they exploited a use-after-free vulnerability with an IE sandbox bypass, which resulted in code execution.
"Use-after-free" is a term for a type of memory management bug.
Against Adobe Reader, they demonstrated a heap overflow and PDF sandbox escape, resulting in code execution.
A "sandbox" is an anti-exploit technology deployed by some software that is designed to isolate an application so that if attackers do find a vulnerability in the code, they must "escape" the sandbox, to execute their malicious code on the machine.
Microsoft Internet Explorer's sandbox was bypassed due to a use-after-free vulnerability causing object confusion in the broker.
"Broker" is the label for the part of the sandbox that acts as the supervisor for all protected processes.
Vupen researchers also hit Mozilla's Firefox by taking advantage of a use-after-free flow resulting in code execution.
Researchers Mariusz Mlynski and Jri Aedla atacked Firefox, with each winner picking up $50,000 for their exploit.
Pwn2Own continues today, with researchers slated to tackle Apple's Safari and Google's Chrome, as others take additional attempts at Adobe Flash, Firefox and Internet Explorer.
Also yesterday, Google ran its own one-day "Pwnium 4" contest at CanSecWest, pitting researchers against Chrome OS. A researcher has successfully exploited Chrome OS on an HP Chromebook 11, winning the notebook and a $150,000 prize.