Hackers participating in this year’s Pwn2Own contest at the CanSecWest conference in Vancouver will have more than just a web browser to use as their playground.
This time, the upcoming competition will feature a new focus on browser plug-ins.
“Over the last several years, we have seen browser plug-in vulnerabilities become increasingly popular in exploit kits and malware,” blogged Brian Gorenc, manager of vulnerability research at HP TippingPoint’s DVLabs. “These vulnerabilities affect a large percentage of the Internet community and are quickly weaponized by attackers.”
“That being said, we are not forgetting about the browser as we will again be focusing on finding, demonstrating, and responsibly disclosing vulnerabilities in all the popular web browsers,” he continued. “We would also like to thank our friends at Google for stepping up to provide partial sponsorship for all targets in this year’s competition.”
Researchers will be competing for a chance to win more than $500,000 in prize money. Their targets: Google Chrome on Windows 7; Microsoft Internet Explorer 10 (IE 10) on Windows 8; Internet Explorer 9 on Windows 7; Mozilla Firefox on Windows 7; and Apple Safari on Mac OS X Mountain Lion (10.8). Those going after browser plug-ins will have to target Adobe Reader XI, Adobe Flash and Oracle Java on IE9 on Windows 7.
The single largest prizes are reserved for the first person to take down Chrome on Windows 7 or IE10 on Windows 8. In both cases, the winner will receive $100,000. Compromising IE 9 on Windows 7 will earn the hacker $75,000, while going after Firefox and Safari will garner prizes of $60,000 and $65,000 respectively.
For the browser plug-ins, the largest prizes will go for targeting the Adobe Reader and Flash plug-ins (both $70,000), while the Java plug-in will be worth $20,000.
“The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion,” Gorenc blogged. “All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.”
Any vulnerability used at the event will be disclosed to the affected vendors. The contest will run March 6-8. Information regarding the rules can be found here.