Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    HP to Award Big Money to Winners of Pwn2Own Browser Hacking Challenge

    By
    Sean Michael Kerner
    -
    February 16, 2015
    Share
    Facebook
    Twitter
    Linkedin
      security challenge

      Hewlett-Packard’s Zero Day Initiative (ZDI) has announced the rules and prize structure for its 2015 Pwn2Own browser hacking challenge that is set to occur March 18 and 19 during the CanSecWest conference in Vancouver, British Columbia. The upcoming event will see a smaller prize pool than the 2014 event, though there is still a lot of money up for grabs.

      For the 2015 event, HP will pay security researchers a $75,000 award if they are able to exploit Google’s Chrome browser on Windows. A Microsoft Internet Explorer (IE) 11 exploit will yield a $65,000 prize, while a Mozilla Firefox exploit in 2015 will be worth $30,000. Additionally, there are $60,000 awards available for researchers who can exploit Adobe Reader or Adobe Flash running in IE. HP is also awarding $50,000 for an Apple Safari exploit on Mac OS X.

      “I believe the prices are justified and accurately represent the market value for these types of attacks against these targets in 2015,” Brian Gorenc, manager of vulnerability research for HP Security Research, told eWEEK.

      Gorenc explained that during the planning phases for the 2015 Pwn2Own event, his team stepped back to take a look at what security researchers are submitting to the Zero Day Initiative.

      “Our program is seeing an increased number of quality use-after-free vulnerabilities and sandbox escapes in the Pwn2Own targets,” Gorenc said.

      Gorenc said that HP ZDI is also aware of some unique weaknesses in Internet Explorer based on ZDI’s recent win from the Microsoft’s bounty program that are yet to be resolved. Gorenc and two other HP ZDI researchers were awarded a $125,000 prize by Microsoft for research into use-after-free memory vulnerabilities in IE.

      As to why the award for exploiting Mozilla Firefox is the lowest of all prize categories, Gorenc said it has to do with the state of security in Firefox.

      “The attack mitigations that Firefox provides just do not compare to browsers like Google Chrome,” he said. “Pwn2Own’s primary purpose is to test the attack mitigations offered by the various vendors, and prices of the individual targets reflect this.”

      There are some rule changes to the 2015 event that will make it more difficult for researchers to exploit browsers running on Windows.

      “We upped the ante this year by requiring all attacks to work when Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) mitigation protections compatible with the target are enabled,” Gorenc said. “To encourage contestants to bring stealthy attacks, we are also forcing all attacks to require no user interaction beyond the action required to browse to the malicious content.”

      In addition to the base-level award for exploiting the browsers, HP ZDI is offering researchers a $25,000 bonus for system-level code execution exploits. Gorenc explained that the system-level exploits represent another way to escape the sandbox of the target browser, but to do so they will need to leverage a vulnerability in Windows.

      “Windows 8.1 x64 provides a lot of interesting attack mitigations which should make it a fun challenge for the contestants but, at the same time, we have seen some pretty trivial sandbox escapes over the last year,” he said.

      In the 2014 Pwn2Own event, the largest single prize was $150,000 for the Exploit Unicorn. However, no researcher was able to claim that prize in the 2014 event. The Exploit Unicorn prize required a researcher to exploit IE 11 on Windows 8.1 64-bit, with EMET running. Many of the facets of the Exploit Unicorn were rolled into the base ruleset of this year’s Pwn2Own, according to Gorenc.

      “We also wanted to offer a top-up award of $25,000 for system-level bugs through any Windows-based target,” he said. “This change broadens the contestants’ available attack vectors to win extra money.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×