The 2013 Pwnie Nominee For Best Client-Side Bug

WebKit SVGElement Type Confusion (CVE-2013-0912)

Credit: MWRLabs

Use-after-free bugs in web browsers are so 2012. At CanSecWest, Nils and Jon used their SVG type confusion exploit as their first step into owning Chrome. In addition to using the vulnerability for code execution, they used it to leak out all of chrome.dll to search for ROP gadgets because Chrome updates every few days, especially right before Pwn2Own.