Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Pwn2Own Hacking Contest to Target Browser Plug-ins

Hackers participating in this year’s Pwn2Own contest at the CanSecWest conference in Vancouver will have more than just a web browser to use as their playground.

This time, the upcoming competition will feature a new focus on browser plug-ins.

Hackers participating in this year’s Pwn2Own contest at the CanSecWest conference in Vancouver will have more than just a web browser to use as their playground.

This time, the upcoming competition will feature a new focus on browser plug-ins.

“Over the last several years, we have seen browser plug-in vulnerabilities become increasingly popular in exploit kits and malware,” blogged Brian Gorenc, manager of vulnerability research at HP TippingPoint’s DVLabs. “These vulnerabilities affect a large percentage of the Internet community and are quickly weaponized by attackers.”

“That being said, we are not forgetting about the browser as we will again be focusing on finding, demonstrating, and responsibly disclosing vulnerabilities in all the popular web browsers,” he continued. “We would also like to thank our friends at Google for stepping up to provide partial sponsorship for all targets in this year’s competition.”

Researchers will be competing for a chance to win more than $500,000 in prize money. Their targets: Google Chrome on Windows 7; Microsoft Internet Explorer 10 (IE 10) on Windows 8; Internet Explorer 9 on Windows 7; Mozilla Firefox on Windows 7; and Apple Safari on Mac OS X Mountain Lion (10.8). Those going after browser plug-ins will have to target Adobe Reader XI, Adobe Flash and Oracle Java on IE9 on Windows 7.

The single largest prizes are reserved for the first person to take down Chrome on Windows 7 or IE10 on Windows 8. In both cases, the winner will receive $100,000. Compromising IE 9 on Windows 7 will earn the hacker $75,000, while going after Firefox and Safari will garner prizes of $60,000 and $65,000 respectively.

For the browser plug-ins, the largest prizes will go for targeting the Adobe Reader and Flash plug-ins (both $70,000), while the Java plug-in will be worth $20,000.

“The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion,” Gorenc blogged. “All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.”

Advertisement. Scroll to continue reading.

Any vulnerability used at the event will be disclosed to the affected vendors. The contest will run March 6-8. Information regarding the rules can be found here

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.