Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/25/2018
06:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

This Year's Pwn2Own Hackfest Will Offer Up to $2 Million in Rewards

Microsoft is a partner at annual contest for the first time.

In a sign of just how much value software vendors have begun attaching to crowdsourced security research, up to $2 million will be up for grabs at the Pwn2Own challenge at the CanSecWest conference in Vancouver, Canada, this March.

The amount is the highest ever offered in rewards at the annual hacking contest. It reflects contributions from VMware and Microsoft, which for the first time will participate as a partner at the event, along with Trend Micro's Zero Day Initiative (ZDI).

Also for the first time, the Pwn2Own contest will offer a Windows Insider Preview challenge in which participants will have an opportunity to take a crack at prerelease versions of Windows products configured by Microsoft and running on the company's hardware.

The challenge will use the Windows 10 RS4 (Redstone 4) Insider Preview build as the base platform and give bug hunters an opportunity to match their wits against some of Microsoft's flagship security technologies.

"Microsoft has been a target before, but they have never participated as a partner," says Dustin Childs, communications manager for ZDI. "We're excited to have Microsoft as a partner and VMware as a sponsor for this year's event. It shows vendors recognize the value provided by the contest," he says.

The annual Pwn2Own contest has become something of an annual pilgrimage for many security researchers from around the world. The event provides an opportunity for them to essentially win rewards for hacking into widely used technology products using previously unknown exploits. Bugs and exploits that are uncovered in target products at the event are sold or shared with the respective security vendors.

Last year, security researchers, many of whom worked in teams, collected over $830,000 in total payouts for discovering various exploits in target products such as VMware Workstation, Microsoft Edge, Google Chrome, Microsoft Hyper-V, and Mozilla's Firefox. Researchers participating at the event uncovered a total of 51 different zero-day vulnerabilities.

Since Pwn2Own launched in 2007 it has gotten progressively bigger, more formal, and more challenging for hackers. For some vendors the event is a testing ground of sorts for their products and an opportunity to discover security issues in their products before attackers exploit the flaws.

From initially focusing on Web browsers and operating systems, Pwn2Own has broadened to include multiple technologies such as virtualization, cloud, and mobile. Contestants these days need to do a lot more than just find a single vulnerability to win money. Rewards typically require researchers to string together multiple exploits.

"The first Pwn2Own required just one vulnerability to exploit an Apple Macbook," says Childs. "A successful entry this year will require multiple exploits, sandbox escapes, mitigation bypasses, and other advanced techniques. In other words, it's much more difficult."

This year's event offers contestants targets in five separate categories: virtualization, enterprise applications, Web browsers, servers, and Windows Insider Preview.

This March's Pwn2Own event expands the virtualization category by adding Oracle's VirtualBox as a target for contestants. The three challenges that Microsoft will offer as part of its Windows Insider Preview Challenge are also new.

Award amounts in the various categories vary depending on the target and level of difficulty.

For instance, contestants who can successfully execute a certain type of attack against Microsoft's Hyper-V client can earn up to $150,000 in the virtualization category. A successful sandbox escape exploit on Google Chrome can fetch $60,000, while a Windows Kernel Escalation of Privilege exploit on Edge can garner $70,000. Rewards are higher for server exploits, at $100,000, while any team that can pull off a complete Hyper-V escape in kernel or hypervisor mode can make $250,000.

"This year's largest awards are reserved for guest-to-host escapes in their various forms," Childs notes.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2018 | 11:11:31 PM
Re: The rewards of virtue?
@Dr.T: Is that necessarily so, though?

Depends on the bad guy. Your run-of-the-mill thief deals with volume -- and is therefore looking for low-hanging fruit. A nation-state, on the other hand, operates under an entirely different "business model" -- and therefore has both the incentive and the resources to do this kind of in-depth research.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 7:04:16 PM
Re: The rewards of virtue?
"Probabilities aside, the vulnerability underlying M/S was found and made known by researchers.  That they were well intentioned doesn't alter the fact that the results have been disruptive and costly"

This makes sense. Maybe software vendors should be hold more accountable.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 7:01:50 PM
Re: The rewards of virtue?
"there was a substantial probability that "bad guys" were about to discover it anyway."

I would agree with this. Bad guys have more incentive than good guys.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:59:14 PM
Re: The rewards of virtue?
"the case with the Meltdown/Spectre"

my understanding is that Intel got enough time to fix the bug, they were not quick enough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:57:30 PM
Re: The rewards of virtue?
"But consider what happens when the discoveries leak out before the mitigations and fixes are ready"

This is a good point. We would want to avoid this part of it one way or another.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:55:14 PM
Re: The rewards of virtue?
"Malware is just software - which can be used to do bad things; and what's bad or good will always be a judgement call. "

I say intention is important. If it tries to hurt people than it is bad.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:27:40 PM
Re: Exploit hunting for fun and profit?
"Exploit hunting for fun and profit? "

This would be a good thing I would say, both earing money and having fun.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:24:16 PM
Re: Exploit hunting for fun and profit?
" other words: they are looking for the exploitable.  Is it always a good thing, that they find it? "

I see, I say yes, it is better to find it as early as possible.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:23:12 PM
Re: Exploit hunting for fun and profit?
"Without denying the positives of cybersecurity research (and researchers), we should also look at the negative consequences, both realized and unanticipated. "

What type of negative consequences could there be?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:21:31 PM
Re: Exploit hunting for fun and profit?
"Remember when  a programming "bug" was first rebranded as "an undocumented feature"?  That was a clever way to spin a half-truth"

I hear you. If it was a TDD approach, bug may be considered a featuire. :--))
Page 1 / 2   >   >>
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20619
PUBLISHED: 2021-01-19
Cross-site scripting vulnerability in GROWI (v4.2 Series) versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors.
CVE-2020-29450
PUBLISHED: 2021-01-19
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.
CVE-2020-36192
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
CVE-2020-36193
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.