For the second year in row, the organizers of the Pwn2Own hacking contest at the CanSecWest conference have changed up the rules, this time making the browser plug-ins that have been frequent targets for attackers for years fair game for the contestants, as well. Adobe Flash, Reader and Oracle’s Java are all going to be in the crosshairs during the contest, in addition to the classic lineup of Google Chrome, Internet Explorer and Mozilla Firefox.
The Pwn2Own contest has been the venue for a number of major demonstrations from researchers in the last few years, from attacks on Safari and OS X by Charlie Miller or Dino Dai Zovi to compromises of Internet Explorer and Windows by the researchers at VUPEN. The main targets in the contest since its inception have been the browsers, mostly IE, Safari and Firefox. For a few years mobile phones such as the iPhone and BlackBerry were part of the contest, too, but that fell by the wayside in 2011.
Now, HP TippingPoint’s Zero Day Initiative, which runs the contest, is bringing browser plug-ins into the fold, hoping that researchers will be able to identify new bugs in Flash, Reader and Java in return for some serious cash. A successful attack against Flash, for example, will win $70,000. Java, however, is only worth $20,000.
“Over the last several years, we have seen browser plug-in vulnerabilities become increasingly popular in exploit kits and malware. These vulnerabilities affect a large percentage of the Internet community and are quickly weaponized by attackers. That being said, we are not forgetting about the browser as we will again be focusing on finding, demonstrating, and responsibly disclosing vulnerabilities in all the popular web browsers,” ZDI’s Brian Gorenc said in a blog post.
The contest is backed by more than $500,000 in prize money, including $100,000 each for Google Chrome and IE 10. The rules for Pwn2Own are basically the same, with researchers who take down one of the targets having to turn over all of the details of the vulnerability and the exploit to ZDI, who will in turn provide them to the affected vendor. That requirement has turned off some potential contestants, but the money involved still attracts a slew of top-level researchers.
The CEO of VUPEN, the French security research and exploit-sales firm, said on Twitter yesterday that the company was well-prepared for the upcoming contest.
“Pwn2Own rules and prizes are good. We have weaponized exploits for *all* categories and we registered for all. Expect us!” Chaouki Bekrar said.
However, Bekrar’s company makes its money from selling exploits to government agencies and other customers and last year VUPEN researchers didn’t participate in Google’s parallel Pwnium contest because it required contestants to give up full exploit details. In the past researchers who won during Pwn2Own only had to divulge the details of the crash that they exploited and did not have to submit their full exploits.
“Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack,” Gorenc said.
Last year’s contest had a different set of rules for the targets, too. In that contest, participants got points for successful exploits against various targets and each target stayed in the contest no matter how many people succeeded in taking it down. This year, once a contestant compromises a given target, it is off limits for other participants.
