The new year is barely two months old and it’s already been a brutal one for the disclosure of new vulnerabilities. Java, Adobe Reader, Flash, Google Chrome and a number of other widely deployed applications have all been hit with a slew of serious bugs in just the last few weeks. And that’s likely to get worse this week as researchers convene in Vancouver for the Pwn2Own and Pwnium hacking contests.
The two contests are run in conjunction with the CanSecWest conference, and they have produced a large volume of interesting attacks and vulnerabilities in the last few years. Pwn2Own is the older of the two competitions and began humbly enough in 2007, with researchers competing to hack a new MacBook laptop with the promise of the laptop and $10,000 if you succeeded in compromising the machine. It took a full day for the winning team to emerge, and when they did, it was Shane Macaulay and Dino Dai Zovi, who had worked in tandem. Dai Zovi was in New York, and found the bug and write the exploit, while Macaulay ran the exploit in Vancouver.
And what software did they attack to win? Java.
That application, along with Adobe Flash, likely will be one of the main targets during Pwn2Own again this year, as they’re two of the most widely used and attacked apps in circulation. Java zero days have been coming by the bunches in the last few weeks, and Flash has been taking a beating for several years now. Because both of those plugins are loaded on billions of machines worldwide, researchers and attackers alike consider them to be high-value targets and vulnerabilities in Java or Flash often are used as a way to circumvent security protections in the browsers.
TippingPoint’s Zero Day Initiative, which runs Pwn2Own, is offering $70,000 for new attacks on Flash and $20,000 for Java. There also are $100,000 prizes for Google Chrome and Internet Explorer 10 both. The roster of researchers expected to show up for this year’s Pwn2Own contest includes a team from VUPEN, the French security firm that has dominated the competition in years past and has drawn a lot of criticism in the last year for its business model of selling vulnerabilities and exploits.
Google, for its part, is running its own competition, the third iteration of Pwnium. The company is offering up to $3 million in prize money for a compromise of Chrome OS on a WiFi model Samsung Series 5 550 Chromebook. Google also is offering up $110,000 each for a “browser or system level compromise in guest mode or as a logged-in user, delivered via a web page” and $150,000 for a “compromise with device persistence — guest to guest with interim reboot, delivered via a web page.”
Chrome has been the most difficult target for researchers in past competitions, and last year the company decided to start the Pwnium contest to generate more submissions from researchers. With all of the money floating around the conference halls in Vancouver this week, expect to see some interesting attack techniques emerge by the end of the event. VUPEN’s team has already said it has weaponized exploits for all of the categories in Pwn2Own, meaning there will be serious competition for the money.
And an avalanche of patches for users.
Pwn 2 Own image via Sporst‘s Flickr photostream