Pwn2Own 2013 Takes Aim at Browser Plugins
Over half a million in cash and prizes are on the table at HP's Zero Day Initiative event.
In the pantheon of security events, Pwn2own stands alone. Over the years, Pwn2own has shocked vendors, thrilled the general public and awarded accolades to researchers as they step up to the plate in a live event to hack browser technologies, often in a matter of minutes.
In 2013, HP TippingPoint's Zero Day Initiative (ZDI) is upping the ante with $560,000 in cash awards up for grabs. That's a significant increase over the $105,000 that Pwn2own 2012 offered. As opposed to the 2012 event, this year Pwn2own is not taking a points-based approach to determine the winner.
Instead, this year the first researcher to hack or pwn Google Chrome will earn $100,000 as will the first researcher to violate Microsoft IE 10 on Windows 8. Hacking Firefox will yield $60,000, while a successful Safari exploit will bring in $65,000.
"We have gone back to the individual approach mostly because there have been specific mitigations in various platforms and we want to see them tested," said Brian Gorenc, manager, Zero Day Initiative, HP DVLabs."We want to get more people participating and we want to fix more bugs."
But wait there is more.
"We're expanding the coverage beyond just Web browser," Gorenc said."We're doing that because we see exploit kits going after the plugins, and they are being actively used to exploit large organizations."
The plugins that Pwn2own 2013 will target include Adobe Reader XI and Adobe Flash, for $70,000 in cash awarded for successful exploitation on IE 9 running on Windows 7. Pwn2own contestants will also get to take a shot at the single most exploited plugin of 2013 (so far) with $20,000 at stake for the successful exploitation of Oracle Java.
Java was just updated earlier this week in an emergency out-of-band patch.
Google is Back
Google is among those sponsoring the 2013 Pwn2own event. Google and Pwn2own have a somewhat sordid recent history. Ahead of the 2012 event, Google accused the event organizers of not properly disclosing vulnerability information to vendors. In retaliation, Google withdrew its support and held its own hacking event called Pwnium, at the same time as Pwn2own.
Gorenc noted that Google and ZDI have the same goals and a lot of people are excited to have Google back in the Pwn2own fold. Google's sponsorship is for the entire event and is not limited just to Chrome.
Ready to Hack
At the 2012 event, security research firm VUPEN was able to exploit Chrome, allegedly by way of a Flash exploit. The group is already gearing up for the 2013 event.
"Pwn2Own rules and prizes are good," Chaouki Bekrar, CEO and Head of Research at VUPEN tweeted." We have weaponized exploits for *all* categories and we registered for all. Expect us."
Gorenc noted that for the 2013 competition, researchers will need to have a bug in the category for which they are entered. For example, a Chrome exploit will require a Chrome bug. He stressed that the registration process for researchers will carefully lay out specific requirements.
"We try to take all the lessons learned from past competitions and improve the contest every year," Gorenc said. "We did a lot of thinking around the rules this year and are looking forward to a lot of participation and hopefully give away all the money, so we can get these products fixed."
Pwn2own 2013 takes place March 6-8 at the CanSecWest 2013 conference in Vancouver, Canada.