Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Pwn2Own Hacking Contest to Target Browser Plug-ins

Hackers participating in this year’s Pwn2Own contest at the CanSecWest conference in Vancouver will have more than just a web browser to use as their playground.

This time, the upcoming competition will feature a new focus on browser plug-ins.

Hackers participating in this year’s Pwn2Own contest at the CanSecWest conference in Vancouver will have more than just a web browser to use as their playground.

This time, the upcoming competition will feature a new focus on browser plug-ins.

“Over the last several years, we have seen browser plug-in vulnerabilities become increasingly popular in exploit kits and malware,” blogged Brian Gorenc, manager of vulnerability research at HP TippingPoint’s DVLabs. “These vulnerabilities affect a large percentage of the Internet community and are quickly weaponized by attackers.”

“That being said, we are not forgetting about the browser as we will again be focusing on finding, demonstrating, and responsibly disclosing vulnerabilities in all the popular web browsers,” he continued. “We would also like to thank our friends at Google for stepping up to provide partial sponsorship for all targets in this year’s competition.”

Researchers will be competing for a chance to win more than $500,000 in prize money. Their targets: Google Chrome on Windows 7; Microsoft Internet Explorer 10 (IE 10) on Windows 8; Internet Explorer 9 on Windows 7; Mozilla Firefox on Windows 7; and Apple Safari on Mac OS X Mountain Lion (10.8). Those going after browser plug-ins will have to target Adobe Reader XI, Adobe Flash and Oracle Java on IE9 on Windows 7.

The single largest prizes are reserved for the first person to take down Chrome on Windows 7 or IE10 on Windows 8. In both cases, the winner will receive $100,000. Compromising IE 9 on Windows 7 will earn the hacker $75,000, while going after Firefox and Safari will garner prizes of $60,000 and $65,000 respectively.

For the browser plug-ins, the largest prizes will go for targeting the Adobe Reader and Flash plug-ins (both $70,000), while the Java plug-in will be worth $20,000.

“The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion,” Gorenc blogged. “All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.”

Advertisement. Scroll to continue reading.

Any vulnerability used at the event will be disclosed to the affected vendors. The contest will run March 6-8. Information regarding the rules can be found here

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.