Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Pwn2Own Hacking Contest to Target Browser Plug-ins

Hackers participating in this year’s Pwn2Own contest at the CanSecWest conference in Vancouver will have more than just a web browser to use as their playground.

This time, the upcoming competition will feature a new focus on browser plug-ins.

Hackers participating in this year’s Pwn2Own contest at the CanSecWest conference in Vancouver will have more than just a web browser to use as their playground.

This time, the upcoming competition will feature a new focus on browser plug-ins.

“Over the last several years, we have seen browser plug-in vulnerabilities become increasingly popular in exploit kits and malware,” blogged Brian Gorenc, manager of vulnerability research at HP TippingPoint’s DVLabs. “These vulnerabilities affect a large percentage of the Internet community and are quickly weaponized by attackers.”

“That being said, we are not forgetting about the browser as we will again be focusing on finding, demonstrating, and responsibly disclosing vulnerabilities in all the popular web browsers,” he continued. “We would also like to thank our friends at Google for stepping up to provide partial sponsorship for all targets in this year’s competition.”

Researchers will be competing for a chance to win more than $500,000 in prize money. Their targets: Google Chrome on Windows 7; Microsoft Internet Explorer 10 (IE 10) on Windows 8; Internet Explorer 9 on Windows 7; Mozilla Firefox on Windows 7; and Apple Safari on Mac OS X Mountain Lion (10.8). Those going after browser plug-ins will have to target Adobe Reader XI, Adobe Flash and Oracle Java on IE9 on Windows 7.

The single largest prizes are reserved for the first person to take down Chrome on Windows 7 or IE10 on Windows 8. In both cases, the winner will receive $100,000. Compromising IE 9 on Windows 7 will earn the hacker $75,000, while going after Firefox and Safari will garner prizes of $60,000 and $65,000 respectively.

For the browser plug-ins, the largest prizes will go for targeting the Adobe Reader and Flash plug-ins (both $70,000), while the Java plug-in will be worth $20,000.

“The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion,” Gorenc blogged. “All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.”

Any vulnerability used at the event will be disclosed to the affected vendors. The contest will run March 6-8. Information regarding the rules can be found here

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.