HP's Pwn2Own hacking contest targets browsers, plug-ins

The competition will focus on finding, demonstrating and “responsibly disclosing” vulnerabilities in all the popular web browsers, as it has in the past – but will add a focus on applications in the form of browser plug-ins.

“Over the last several years, we have seen browser plug-in vulnerabilities become increasingly popular in exploit kits and malware,” said ZDI, in announcing the contest. “These vulnerabilities affect a large percentage of the Internet community and are quickly weaponized by attackers.”

The ZDI contest is slated to happen March 6–8 in Vancouver, during the CanSecWest 2013 conference. Google, which held a similar contest during the autumn 2012 CanSecWest event, is a sponsor.

The targets will be running on the latest, fully patched version of Windows 7 and 8, and OS X Mountain Lion. All targets will be installed in their default configurations. The first contestant to successfully compromise a selected target will win the prize for the category.

The vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.

Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations and so forth) leveraged and the sequence in which they are used must be provided to receive the prize money. The initial vulnerability utilized in the attack must be in the registered category.

In all, ZDI is offering more than half a million dollars in cash and prizes during the competition for vulnerabilities and exploitation techniques across many categories:

  • Web Browser
  • Google Chrome on Windows 7 ($100,000)
  • Microsoft Internet Explorer, either:
    • IE 10 on Windows 8 ($100,000)
    • IE 9 on Windows 7 ($75,000)
  • Mozilla Firefox on Windows 7 ($60,000)
  • Apple Safari on OS X Mountain Lion ($65,000)
  • Web Browser Plug-ins using Internet Explorer 9 on Windows 7
  • Adobe Reader XI ($70,000)
  • Adobe Flash ($70,000)
  • Oracle Java ($20,000)

Along with prize money, the contestant will receive the compromised laptop as a bonus.

What’s hot on Infosecurity Magazine?