As during the previous four years, this year’s edition of the CanSecWest conference will welcome security researchers bent on trying to exploit vulnerabilities in popular browsers and mobile devices at the Pwn2Own contest organized by HP TippingPoint’s Zero Day Initiative.
After last year’s edition of the contest, Google’s Chrome browser was the only one left standing, so this year Google has decided to offer up to $20,000 to anyone who manages to compromise it.
Security researcher Charlie Miller speculated that Chrome wasn’t targeted because the bugs in the browser are extremely difficult to exploit, and because Chrome has a “sandbox model that’s hard to get out of”, but the big cash prize is bound to attract some participants.
HP TippingPoint is also upping the ante and offers a $105,000 cash pool to be divided on the other prizes. Those interested in participating have until the 15th of February to register for it.
Targeted browsers will include the latest release candidates of MS’ Internet Explorer, Apple’s Safari, Mozilla’s Firefox and Google’s Chrome. Each browser will be installed on a 64-bit system running the latest version of either OS X or Windows 7.
The winner in the first three categories will receive a $15,000 cash prize, a laptop depending on the category, and 20,000 ZDI reward points which have their own monetary value.
“As for Chrome, the contest will be a two-part one,” writes Portnoy. “On day 1, Google will offer $20,000 USD and the CR-48 [Chrome Notebook] if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code.”
“If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.”
When it comes to attacks against mobile devices, they will be limited to Dell Venue Pro running Windows 7, iPhone 4 running iOS, Blackberry Torch 9800 running Blackberry 6 OS and Nexus S running Android. The prizes for each category are $15,000 in cash, the device itself, and 20,000 ZDI reward points.
“A successful attack against these devices must require little to no user interaction and must compromise useful data from the phone,” says Portnoy. “Any attack that can incur cost upon the owner of the device (such as silently calling long-distance numbers, eavesdropping on conversations, and so forth) is within scope.””