Accuvant’s Joshua Drake Wins Pwn2Own 2013

Exploits Java Bug and Takes Control of Fully-Patched Windows OS Within 15 Seconds

Vancouver, B.C. – March 7, 2013 – Accuvant, the authoritative source for information security, today announced that Joshua Drake, Accuvant research practice manager, has won Pwn2Own 2013 with an Oracle Java Software exploit. Drake’s zero-day Java exploit circumvented address space layout randomization (ASLR) and data execution prevention (DEP), enabling him to take control of a fully-patched Windows OS within 15 seconds. 

“The work that Joshua Drake performed on behalf of Accuvant is exemplary of our ability to positively affect the industry,” said Ryan Smith, vice president of research for Accuvant. “We find software vulnerabilities every day – they are not at all unique to Java.  However, Java is an enormously complex system, and complex systems invite vulnerabilities. With the disclosure of this particular bug, organizations and individuals have one less monster in the Java closet, and hopefully, malware distributors have a slightly harder job.”

Pwn2Own is an annual contest held at the CanSecWest conference in Vancouver, British Columbia. This year, the competition focused on challenging researchers to find harmful exploits and successfully hack the latest releases of web browsers and browser plug-ins for cash and other prizes.

Drake, a published author and accomplished speaker, focuses on original research in areas such as vulnerability discovery and analysis, exploitation technologies, and reverse engineering. Prior to joining Accuvant, he served as the lead exploit developer for the Metasploit team at Rapid7, where he analyzed and successfully exploited numerous publicly disclosed vulnerabilities in widely deployed software. Previously, Drake spent four years at VeriSign's iDefense Labs conducting research, analysis and coordinated disclosure of hundreds of unpublished vulnerabilities.

About Accuvant
Accuvant is the only research-driven information security partner delivering alignment between IT security and business objectives, clarity to complex security challenges and confidence in complex security decisions.

Based on our clients’ unique requirements, Accuvant assesses, architects and implements the policies, procedures and technologies that most efficiently and effectively protect valuable data assets.

Since 2002, more than 4,500 organizations, including half of the Fortune 100 and 800 federal, state and local entities, have trusted Accuvant with their security challenges. Headquartered in Denver, Accuvant has offices across the United States and Canada. For more information, please visit, follow us on Twitter: @Accuvant, or keep in touch via Facebook:


# # #