Vulnerabilities / Threats

1/25/2018
06:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

This Year's Pwn2Own Hackfest Will Offer Up to $2 Million in Rewards

Microsoft is a partner at annual contest for the first time.

In a sign of just how much value software vendors have begun attaching to crowdsourced security research, up to $2 million will be up for grabs at the Pwn2Own challenge at the CanSecWest conference in Vancouver, Canada, this March.

The amount is the highest ever offered in rewards at the annual hacking contest. It reflects contributions from VMware and Microsoft, which for the first time will participate as a partner at the event, along with Trend Micro's Zero Day Initiative (ZDI).

Also for the first time, the Pwn2Own contest will offer a Windows Insider Preview challenge in which participants will have an opportunity to take a crack at prerelease versions of Windows products configured by Microsoft and running on the company's hardware.

The challenge will use the Windows 10 RS4 (Redstone 4) Insider Preview build as the base platform and give bug hunters an opportunity to match their wits against some of Microsoft's flagship security technologies.

"Microsoft has been a target before, but they have never participated as a partner," says Dustin Childs, communications manager for ZDI. "We're excited to have Microsoft as a partner and VMware as a sponsor for this year's event. It shows vendors recognize the value provided by the contest," he says.

The annual Pwn2Own contest has become something of an annual pilgrimage for many security researchers from around the world. The event provides an opportunity for them to essentially win rewards for hacking into widely used technology products using previously unknown exploits. Bugs and exploits that are uncovered in target products at the event are sold or shared with the respective security vendors.

Last year, security researchers, many of whom worked in teams, collected over $830,000 in total payouts for discovering various exploits in target products such as VMware Workstation, Microsoft Edge, Google Chrome, Microsoft Hyper-V, and Mozilla's Firefox. Researchers participating at the event uncovered a total of 51 different zero-day vulnerabilities.

Since Pwn2Own launched in 2007 it has gotten progressively bigger, more formal, and more challenging for hackers. For some vendors the event is a testing ground of sorts for their products and an opportunity to discover security issues in their products before attackers exploit the flaws.

From initially focusing on Web browsers and operating systems, Pwn2Own has broadened to include multiple technologies such as virtualization, cloud, and mobile. Contestants these days need to do a lot more than just find a single vulnerability to win money. Rewards typically require researchers to string together multiple exploits.

"The first Pwn2Own required just one vulnerability to exploit an Apple Macbook," says Childs. "A successful entry this year will require multiple exploits, sandbox escapes, mitigation bypasses, and other advanced techniques. In other words, it's much more difficult."

This year's event offers contestants targets in five separate categories: virtualization, enterprise applications, Web browsers, servers, and Windows Insider Preview.

This March's Pwn2Own event expands the virtualization category by adding Oracle's VirtualBox as a target for contestants. The three challenges that Microsoft will offer as part of its Windows Insider Preview Challenge are also new.

Award amounts in the various categories vary depending on the target and level of difficulty.

For instance, contestants who can successfully execute a certain type of attack against Microsoft's Hyper-V client can earn up to $150,000 in the virtualization category. A successful sandbox escape exploit on Google Chrome can fetch $60,000, while a Windows Kernel Escalation of Privilege exploit on Edge can garner $70,000. Rewards are higher for server exploits, at $100,000, while any team that can pull off a complete Hyper-V escape in kernel or hypervisor mode can make $250,000.

"This year's largest awards are reserved for guest-to-host escapes in their various forms," Childs notes.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2018 | 11:11:31 PM
Re: The rewards of virtue?
@Dr.T: Is that necessarily so, though?

Depends on the bad guy. Your run-of-the-mill thief deals with volume -- and is therefore looking for low-hanging fruit. A nation-state, on the other hand, operates under an entirely different "business model" -- and therefore has both the incentive and the resources to do this kind of in-depth research.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 7:04:16 PM
Re: The rewards of virtue?
"Probabilities aside, the vulnerability underlying M/S was found and made known by researchers.  That they were well intentioned doesn't alter the fact that the results have been disruptive and costly"

This makes sense. Maybe software vendors should be hold more accountable.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 7:01:50 PM
Re: The rewards of virtue?
"there was a substantial probability that "bad guys" were about to discover it anyway."

I would agree with this. Bad guys have more incentive than good guys.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:59:14 PM
Re: The rewards of virtue?
"the case with the Meltdown/Spectre"

my understanding is that Intel got enough time to fix the bug, they were not quick enough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:57:30 PM
Re: The rewards of virtue?
"But consider what happens when the discoveries leak out before the mitigations and fixes are ready"

This is a good point. We would want to avoid this part of it one way or another.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:55:14 PM
Re: The rewards of virtue?
"Malware is just software - which can be used to do bad things; and what's bad or good will always be a judgement call. "

I say intention is important. If it tries to hurt people than it is bad.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:27:40 PM
Re: Exploit hunting for fun and profit?
"Exploit hunting for fun and profit? "

This would be a good thing I would say, both earing money and having fun.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:24:16 PM
Re: Exploit hunting for fun and profit?
" other words: they are looking for the exploitable.  Is it always a good thing, that they find it? "

I see, I say yes, it is better to find it as early as possible.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:23:12 PM
Re: Exploit hunting for fun and profit?
"Without denying the positives of cybersecurity research (and researchers), we should also look at the negative consequences, both realized and unanticipated. "

What type of negative consequences could there be?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:21:31 PM
Re: Exploit hunting for fun and profit?
"Remember when  a programming "bug" was first rebranded as "an undocumented feature"?  That was a clever way to spin a half-truth"

I hear you. If it was a TDD approach, bug may be considered a featuire. :--))
Page 1 / 2   >   >>
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-0291
PUBLISHED: 2018-06-20
A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly. The vulnerability is due to improper validation of SNMP protocol ...
CVE-2018-0292
PUBLISHED: 2018-06-20
A vulnerability in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code and gain full control of an affected system. The attacker could also cause an affected system to reload, resulting in ...
CVE-2018-0293
PUBLISHED: 2018-06-20
A vulnerability in role-based access control (RBAC) for Cisco NX-OS Software could allow an authenticated, remote attacker to execute CLI commands that should be restricted for a nonadministrative user. The attacker would have to possess valid user credentials for the device. The vulnerability is du...
CVE-2018-0294
PUBLISHED: 2018-06-20
A vulnerability in the write-erase feature of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to configure an unauthorized administrator account for an affected device. The vulnerability exists because the affected software does not properly delete sensitive...
CVE-2018-0295
PUBLISHED: 2018-06-20
A vulnerability in the Border Gateway Protocol (BGP) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the device unexpectedly reloading. The vulnerability is due to incomplete input validation of the BGP update...