Microsoft has not been shy in the past nine months about advising users to install and use its Enhanced Mitigation Experience Toolkit (EMET) as a temporary mitigation until zero-day vulnerabilities are patched.
Experts have advised enterprises and smaller organizations to deploy EMET as a proactive security measure; Microsoft has recommended it in a number of recent attacks, including a XP zero-day and another previously unreported vulnerability in Internet Explorer that was abused in watering hole attacks against a number of NGOs.
The tables, however, are about to be turned on EMET. At the upcoming CanSecWest Conference, the popular Pwn2Own contest will include a contest that will test the mettle of EMET. Contest sponsors HP announced late last week a $150,000 grand prize for anyone able to bypass the EMET mitigation on a Windows 8.1 machine and Internet Explorer 11.
“We’re hunting the Exploit Unicorn – not because we think there are a lot of researchers out there who can capture it, but because we think there aren’t,” said HP senior security content developer Angela Gunn.
EMET is a mitigation technology that puts up obstacles that hackers must hurdle in order to exploit a vulnerability, including existing mitigations such as ASLR and DEP. EMET forces applications to use these mitigations native to Windows. Recently, Microsoft added a certificate pinning feature called Certificate Trust to EMET 4.0 that wards off man-in-the-middle attacks, and mitigations that handle return-oriented programming.
“With EMET carrying that kind of burden of protection, researchers are getting more interested in testing its limits, and our grand prize reflects that,” Gunn said. “We may not have any successful contestants, but security researchers thrive on insanely difficult challenges; we’re excited to provide one.”
Gunn said in order for contestants to win the grand prize, in addition to breaking EMET, they must break out of the sandbox in Internet Explorer, then locate new vulnerabilities in Windows to view system information, change data, and control its behavior before moving on to EMET.
In 2012, a researcher beat EMET with a pair of techniques; the mitigation bypass was one of the finalists in the first BlueHat Prize, a competition sponsored by Microsoft to encourage researchers to attack a defensive technology rather than beat a vulnerability brought on by poor coding.
The first Blue Hat Prize of $200,000 was paid out at the 2012 Black Hat Briefings to Vasillis Pappas for his kBouncer ROP mitigation technology that beat out two other ROP submissions. Pappas’ kBouncer technology uses the kernel to enforce restrictions about what processes can do, and prevents anything that looks like return-oriented programming from running.
Last October, Microsoft paid out a $100,000 prize to British researcher James Forshaw for a bypass of Windows memory protections, the second major bounty coming out of Redmond for a mitigation bypass.
The Exploit Unicorn is just one phase of the Pwn2Own contest. HP’s Zero Day Initiative announced the rules and prizes last week, revealing there will be three divisions for the competition: browsers, plug-ins and the grand prize.
Payouts in the browser competition are: $100,000 for Google Chrome on Windows 8.1, 64-bit, and Microsoft Internet Explorer 11 on Windows 8.1 64-bit; $65,000 for Apple Safari on OS X Mavericks; and $50,000 for Mozilla Firefox on Windows 8.1 64-bit.
In the plug-ins competition: payouts are $75,000 for Adobe Reader running in Internet Explorer 11 on Windows 8.1 64-bit and Adobe Flash running in Internet Explorer 11 on Windows 8.1 64-bit; and $30,000 for Oracle Java running in Internet Explorer 11 on Windows 8.1 64-bit.