Hewlett-Packard’s Zero Day Initiative (ZDI) is putting up $645,000 in cash prizes for researchers involved in this year’s Pwn2Own contest, including $150,000 for anyone who can circumvent the protections of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).
The annual contest, which will take place at the CanSecWest conference in Vancouver, awards white hat hackers who are able to takedown popular browsers and browser plugins. But this is the first time a specific prize has been offered for defeating EMET.
“The latest versions of Internet Explorer run in a special, isolated area of the computer’s memory,” explained Angela Gunn, senior security content developer at HP, in a blog post. “Tech folk call that a “sandbox,” but you can think of it as a padded room where an application can spend time without hurting itself or others. The first step in the contest is to break out of IE’s padded room – using a fault in the construction of the padded room itself.”
“Once that’s done, the contestant must gain control over the rest of the computer,” she blogged. “The second challenge is for the contestant to locate and use more faults in the system to read its information, change its data, and eventually control its behavior as he pleases; the newest 64-bit computers make that tough, but a successful contestant will prevail.”
“But there’s one more hurdle,” she added. “Microsoft has software called the Enhanced Mitigation Experience Toolkit (EMET). It essentially builds more padded rooms inside Windows and protects against many kinds of attack techniques – including payloads installed by attackers seeking the Exploit Unicorn. The third and ultimate test for our contestants is to break through EMET protections and truly control the computer.”
The hack must be done on a machine running Windows 8.1 x64 and Internet Explorer 11. Just exploiting IE 11 on Windows 8.1 x64 without beating EMET will garner a $100,000 prize. Other targets in the contest include the Google Chrome browser, Apple Safari and Mozilla Firefox, as well as the Oracle Java and Adobe Flash Player and Adobe Reader plug-ins.
Vulnerabilities and exploit techniques revealed at the contest will be disclosed to the affected vendors, and the proof-of-concept will become the property of HP.
The contest will run from March 12 to March 13. Interested researchers can register here at [email protected]
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Amazon Settles Ring Customer Spying Complaint
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Adobe Inviting Researchers to Private Bug Bounty Program
