Hewlett-Packard’s Zero Day Initiative (ZDI) has announced the rules and prize structure for its 2015 Pwn2Own browser hacking challenge that is set to occur March 18 and 19 during the CanSecWest conference in Vancouver, British Columbia. The upcoming event will see a smaller prize pool than the 2014 event, though there is still a lot of money up for grabs.
For the 2015 event, HP will pay security researchers a $75,000 award if they are able to exploit Google’s Chrome browser on Windows. A Microsoft Internet Explorer (IE) 11 exploit will yield a $65,000 prize, while a Mozilla Firefox exploit in 2015 will be worth $30,000. Additionally, there are $60,000 awards available for researchers who can exploit Adobe Reader or Adobe Flash running in IE. HP is also awarding $50,000 for an Apple Safari exploit on Mac OS X.
“I believe the prices are justified and accurately represent the market value for these types of attacks against these targets in 2015,” Brian Gorenc, manager of vulnerability research for HP Security Research, told eWEEK.
Gorenc explained that during the planning phases for the 2015 Pwn2Own event, his team stepped back to take a look at what security researchers are submitting to the Zero Day Initiative.
“Our program is seeing an increased number of quality use-after-free vulnerabilities and sandbox escapes in the Pwn2Own targets,” Gorenc said.
Gorenc said that HP ZDI is also aware of some unique weaknesses in Internet Explorer based on ZDI’s recent win from the Microsoft’s bounty program that are yet to be resolved. Gorenc and two other HP ZDI researchers were awarded a $125,000 prize by Microsoft for research into use-after-free memory vulnerabilities in IE.
As to why the award for exploiting Mozilla Firefox is the lowest of all prize categories, Gorenc said it has to do with the state of security in Firefox.
“The attack mitigations that Firefox provides just do not compare to browsers like Google Chrome,” he said. “Pwn2Own’s primary purpose is to test the attack mitigations offered by the various vendors, and prices of the individual targets reflect this.”
There are some rule changes to the 2015 event that will make it more difficult for researchers to exploit browsers running on Windows.
“We upped the ante this year by requiring all attacks to work when Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) mitigation protections compatible with the target are enabled,” Gorenc said. “To encourage contestants to bring stealthy attacks, we are also forcing all attacks to require no user interaction beyond the action required to browse to the malicious content.”
In addition to the base-level award for exploiting the browsers, HP ZDI is offering researchers a $25,000 bonus for system-level code execution exploits. Gorenc explained that the system-level exploits represent another way to escape the sandbox of the target browser, but to do so they will need to leverage a vulnerability in Windows.
“Windows 8.1 x64 provides a lot of interesting attack mitigations which should make it a fun challenge for the contestants but, at the same time, we have seen some pretty trivial sandbox escapes over the last year,” he said.
In the 2014 Pwn2Own event, the largest single prize was $150,000 for the Exploit Unicorn. However, no researcher was able to claim that prize in the 2014 event. The Exploit Unicorn prize required a researcher to exploit IE 11 on Windows 8.1 64-bit, with EMET running. Many of the facets of the Exploit Unicorn were rolled into the base ruleset of this year’s Pwn2Own, according to Gorenc.
“We also wanted to offer a top-up award of $25,000 for system-level bugs through any Windows-based target,” he said. “This change broadens the contestants’ available attack vectors to win extra money.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.