Vulnerabilities / Threats

1/25/2018
06:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

This Year's Pwn2Own Hackfest Will Offer Up to $2 Million in Rewards

Microsoft is a partner at annual contest for the first time.

In a sign of just how much value software vendors have begun attaching to crowdsourced security research, up to $2 million will be up for grabs at the Pwn2Own challenge at the CanSecWest conference in Vancouver, Canada, this March.

The amount is the highest ever offered in rewards at the annual hacking contest. It reflects contributions from VMware and Microsoft, which for the first time will participate as a partner at the event, along with Trend Micro's Zero Day Initiative (ZDI).

Also for the first time, the Pwn2Own contest will offer a Windows Insider Preview challenge in which participants will have an opportunity to take a crack at prerelease versions of Windows products configured by Microsoft and running on the company's hardware.

The challenge will use the Windows 10 RS4 (Redstone 4) Insider Preview build as the base platform and give bug hunters an opportunity to match their wits against some of Microsoft's flagship security technologies.

"Microsoft has been a target before, but they have never participated as a partner," says Dustin Childs, communications manager for ZDI. "We're excited to have Microsoft as a partner and VMware as a sponsor for this year's event. It shows vendors recognize the value provided by the contest," he says.

The annual Pwn2Own contest has become something of an annual pilgrimage for many security researchers from around the world. The event provides an opportunity for them to essentially win rewards for hacking into widely used technology products using previously unknown exploits. Bugs and exploits that are uncovered in target products at the event are sold or shared with the respective security vendors.

Last year, security researchers, many of whom worked in teams, collected over $830,000 in total payouts for discovering various exploits in target products such as VMware Workstation, Microsoft Edge, Google Chrome, Microsoft Hyper-V, and Mozilla's Firefox. Researchers participating at the event uncovered a total of 51 different zero-day vulnerabilities.

Since Pwn2Own launched in 2007 it has gotten progressively bigger, more formal, and more challenging for hackers. For some vendors the event is a testing ground of sorts for their products and an opportunity to discover security issues in their products before attackers exploit the flaws.

From initially focusing on Web browsers and operating systems, Pwn2Own has broadened to include multiple technologies such as virtualization, cloud, and mobile. Contestants these days need to do a lot more than just find a single vulnerability to win money. Rewards typically require researchers to string together multiple exploits.

"The first Pwn2Own required just one vulnerability to exploit an Apple Macbook," says Childs. "A successful entry this year will require multiple exploits, sandbox escapes, mitigation bypasses, and other advanced techniques. In other words, it's much more difficult."

This year's event offers contestants targets in five separate categories: virtualization, enterprise applications, Web browsers, servers, and Windows Insider Preview.

This March's Pwn2Own event expands the virtualization category by adding Oracle's VirtualBox as a target for contestants. The three challenges that Microsoft will offer as part of its Windows Insider Preview Challenge are also new.

Award amounts in the various categories vary depending on the target and level of difficulty.

For instance, contestants who can successfully execute a certain type of attack against Microsoft's Hyper-V client can earn up to $150,000 in the virtualization category. A successful sandbox escape exploit on Google Chrome can fetch $60,000, while a Windows Kernel Escalation of Privilege exploit on Edge can garner $70,000. Rewards are higher for server exploits, at $100,000, while any team that can pull off a complete Hyper-V escape in kernel or hypervisor mode can make $250,000.

"This year's largest awards are reserved for guest-to-host escapes in their various forms," Childs notes.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2018 | 11:11:31 PM
Re: The rewards of virtue?
@Dr.T: Is that necessarily so, though?

Depends on the bad guy. Your run-of-the-mill thief deals with volume -- and is therefore looking for low-hanging fruit. A nation-state, on the other hand, operates under an entirely different "business model" -- and therefore has both the incentive and the resources to do this kind of in-depth research.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 7:04:16 PM
Re: The rewards of virtue?
"Probabilities aside, the vulnerability underlying M/S was found and made known by researchers.  That they were well intentioned doesn't alter the fact that the results have been disruptive and costly"

This makes sense. Maybe software vendors should be hold more accountable.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 7:01:50 PM
Re: The rewards of virtue?
"there was a substantial probability that "bad guys" were about to discover it anyway."

I would agree with this. Bad guys have more incentive than good guys.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:59:14 PM
Re: The rewards of virtue?
"the case with the Meltdown/Spectre"

my understanding is that Intel got enough time to fix the bug, they were not quick enough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:57:30 PM
Re: The rewards of virtue?
"But consider what happens when the discoveries leak out before the mitigations and fixes are ready"

This is a good point. We would want to avoid this part of it one way or another.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:55:14 PM
Re: The rewards of virtue?
"Malware is just software - which can be used to do bad things; and what's bad or good will always be a judgement call. "

I say intention is important. If it tries to hurt people than it is bad.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:27:40 PM
Re: Exploit hunting for fun and profit?
"Exploit hunting for fun and profit? "

This would be a good thing I would say, both earing money and having fun.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:24:16 PM
Re: Exploit hunting for fun and profit?
" other words: they are looking for the exploitable.  Is it always a good thing, that they find it? "

I see, I say yes, it is better to find it as early as possible.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:23:12 PM
Re: Exploit hunting for fun and profit?
"Without denying the positives of cybersecurity research (and researchers), we should also look at the negative consequences, both realized and unanticipated. "

What type of negative consequences could there be?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:21:31 PM
Re: Exploit hunting for fun and profit?
"Remember when  a programming "bug" was first rebranded as "an undocumented feature"?  That was a clever way to spin a half-truth"

I hear you. If it was a TDD approach, bug may be considered a featuire. :--))
Page 1 / 2   >   >>
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12294
PUBLISHED: 2018-06-19
WebCore/platform/graphics/texmap/TextureMapperLayer.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.2, is vulnerable to a use after free for a WebCore::TextureMapperLayer object.
CVE-2018-12519
PUBLISHED: 2018-06-19
An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials.
CVE-2018-12588
PUBLISHED: 2018-06-19
Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-1 before 3.1.1-2 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch parameter (aka the S...
CVE-2018-10811
PUBLISHED: 2018-06-19
strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable.
CVE-2018-10945
PUBLISHED: 2018-06-19
The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash, or NULL pointer dereference) via an HTTP request, related to the mbuf_insert function.