Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    HP to Award Big Money to Winners of Pwn2Own Browser Hacking Challenge

    Written by

    Sean Michael Kerner
    Published February 16, 2015
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Hewlett-Packard’s Zero Day Initiative (ZDI) has announced the rules and prize structure for its 2015 Pwn2Own browser hacking challenge that is set to occur March 18 and 19 during the CanSecWest conference in Vancouver, British Columbia. The upcoming event will see a smaller prize pool than the 2014 event, though there is still a lot of money up for grabs.

      For the 2015 event, HP will pay security researchers a $75,000 award if they are able to exploit Google’s Chrome browser on Windows. A Microsoft Internet Explorer (IE) 11 exploit will yield a $65,000 prize, while a Mozilla Firefox exploit in 2015 will be worth $30,000. Additionally, there are $60,000 awards available for researchers who can exploit Adobe Reader or Adobe Flash running in IE. HP is also awarding $50,000 for an Apple Safari exploit on Mac OS X.

      “I believe the prices are justified and accurately represent the market value for these types of attacks against these targets in 2015,” Brian Gorenc, manager of vulnerability research for HP Security Research, told eWEEK.

      Gorenc explained that during the planning phases for the 2015 Pwn2Own event, his team stepped back to take a look at what security researchers are submitting to the Zero Day Initiative.

      “Our program is seeing an increased number of quality use-after-free vulnerabilities and sandbox escapes in the Pwn2Own targets,” Gorenc said.

      Gorenc said that HP ZDI is also aware of some unique weaknesses in Internet Explorer based on ZDI’s recent win from the Microsoft’s bounty program that are yet to be resolved. Gorenc and two other HP ZDI researchers were awarded a $125,000 prize by Microsoft for research into use-after-free memory vulnerabilities in IE.

      As to why the award for exploiting Mozilla Firefox is the lowest of all prize categories, Gorenc said it has to do with the state of security in Firefox.

      “The attack mitigations that Firefox provides just do not compare to browsers like Google Chrome,” he said. “Pwn2Own’s primary purpose is to test the attack mitigations offered by the various vendors, and prices of the individual targets reflect this.”

      There are some rule changes to the 2015 event that will make it more difficult for researchers to exploit browsers running on Windows.

      “We upped the ante this year by requiring all attacks to work when Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) mitigation protections compatible with the target are enabled,” Gorenc said. “To encourage contestants to bring stealthy attacks, we are also forcing all attacks to require no user interaction beyond the action required to browse to the malicious content.”

      In addition to the base-level award for exploiting the browsers, HP ZDI is offering researchers a $25,000 bonus for system-level code execution exploits. Gorenc explained that the system-level exploits represent another way to escape the sandbox of the target browser, but to do so they will need to leverage a vulnerability in Windows.

      “Windows 8.1 x64 provides a lot of interesting attack mitigations which should make it a fun challenge for the contestants but, at the same time, we have seen some pretty trivial sandbox escapes over the last year,” he said.

      In the 2014 Pwn2Own event, the largest single prize was $150,000 for the Exploit Unicorn. However, no researcher was able to claim that prize in the 2014 event. The Exploit Unicorn prize required a researcher to exploit IE 11 on Windows 8.1 64-bit, with EMET running. Many of the facets of the Exploit Unicorn were rolled into the base ruleset of this year’s Pwn2Own, according to Gorenc.

      “We also wanted to offer a top-up award of $25,000 for system-level bugs through any Windows-based target,” he said. “This change broadens the contestants’ available attack vectors to win extra money.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.