Related Stories

Top 5 Stories


HP's Pwn2Own hacking contest targets browsers, plug-ins

23 January 2013

HP’s DVLabs Zero Day Initiative (ZDI) is gearing up for its annual hacking contest, Pwn2Own, with an expansion of scope beyond finding vulnerabilities in web browsers.

The competition will focus on finding, demonstrating and “responsibly disclosing” vulnerabilities in all the popular web browsers, as it has in the past – but will add a focus on applications in the form of browser plug-ins.

“Over the last several years, we have seen browser plug-in vulnerabilities become increasingly popular in exploit kits and malware,” said ZDI, in announcing the contest. “These vulnerabilities affect a large percentage of the Internet community and are quickly weaponized by attackers.”

The ZDI contest is slated to happen March 6–8 in Vancouver, during the CanSecWest 2013 conference. Google, which held a similar contest during the autumn 2012 CanSecWest event, is a sponsor.

The targets will be running on the latest, fully patched version of Windows 7 and 8, and OS X Mountain Lion. All targets will be installed in their default configurations. The first contestant to successfully compromise a selected target will win the prize for the category.

The vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.

Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations and so forth) leveraged and the sequence in which they are used must be provided to receive the prize money. The initial vulnerability utilized in the attack must be in the registered category.

In all, ZDI is offering more than half a million dollars in cash and prizes during the competition for vulnerabilities and exploitation techniques across many categories:

  • Web Browser
  • Google Chrome on Windows 7 ($100,000)
  • Microsoft Internet Explorer, either:
    • IE 10 on Windows 8 ($100,000)
    • IE 9 on Windows 7 ($75,000)
  • Mozilla Firefox on Windows 7 ($60,000)
  • Apple Safari on OS X Mountain Lion ($65,000)
  • Web Browser Plug-ins using Internet Explorer 9 on Windows 7
  • Adobe Reader XI ($70,000)
  • Adobe Flash ($70,000)
  • Oracle Java ($20,000)

Along with prize money, the contestant will receive the compromised laptop as a bonus.

This article is featured in:
Application Security  •  Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security  •  Security Training and Education


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×