The latest edition of the Pwn2Own, the annual hacking contest that takes place along with the CanSecWest conference is all set for the end of May. The content, which has attracted the best brains in the hacking world, has earned notoriety over the years for the brazen attacks carried out against popular web browsers, including IE, Firefox, Chrome and Safari.
The theme of the contest is simple enough: hack a fully patched browser running on a fully patched laptop, and the winner keeps the laptop, besides getting a bounty reward. Hackers have 30 minutes to execute their attack, which should involve code execution, and not involve user interaction. The contestants should moreover use only new and previously undisclosed vulnerabilities.
Last year, the contestants could sell the details of the vulnerability to anyone they pleased, including security services that specialized in zero-day ransoms, but this year the rules dictate that the contestants disclose full details of the vulnerability used in the exploit to HP TippingPoint, the organizers.The bounty on offer varies, depending on the OS and the browser. The top bounty on offer is $ 100,000 for a successful Google Chrome exploit in Windows 7, or for an IE 10 exploit on Windows 8.
Nevertheless, any successful attack on the top four browsers would make the hacker richer by half a million dollars. Unlike last year, prizes are also on offer for exploits against browser plugins as well, thereby exposing the likes of Abode Flash, and Java, which even otherwise ooze vulnerabilities, to the contest for the first time.
The prize money, incidentally, reflects the value that the security world places on the vulnerability. Vulnerabilities in Google Chrome command a high bounty, whereas the prize for discovering vulnerability in Oracle’s Java, in the news for all the wrong reasons, is just 20 percent of the top prize.
The bounty and the recognition offered may be worth its while for network security, as this provides a good incentive for the best of brains to make a determined attack against popular web browsers in the most secure of configurations. The contest would, as in the past, likely unearth much vulnerability, much more than any in-house security testing would unearth.
The contest would make the Internet a much safer place.
While we hope for internet and intranet safety, we still need to put safeguards in place. How? Get in touch with Suyati Technologies for services that will help protect your intranet network.