The Pwn2Own hacking competition, which usually makes headlines in early March on the subject of which browser and operating system is “first to fall” to the hackers has upped its price pool to more than half a million dollars. The hacking competition is held at CanSecWest in Vancouver between the 6th and 8th of March.
The bounties provide an interesting, if unreliable, metric on the difficulty of generating specific exploits. The higher the bounty, the more difficult the exploit. The competition works by providing contestants with a fully patched computer running Windows 7, Windows 8, or OSX Mountain Lion running in their default configuration. Any exploits used must be currently unknown to the vendor. In the cases where an application is sandboxed from the operating system, the exploit must be able to escape the the sandbox. The bounties offered in US dollars are as follows:
- $100,000. Internet Explorer 10 on Windows 8
- $100,000. Google Chrome on Windows 7 (Whatever number is the latest version in March?)
- $75,000. Internet Explorer 9 on Windows 7
- $70,000. Adobe Reader XI plugin on IE 9 on Windows 7
- $70,000. Adobe Flash plugin on IE 9 on Windows 7
- $65,000. Apple Safari on OSX Mountain Lion
- $60,000. Mozilla Firefox on Windows 7
- $20,000. Oracle Java
The interesting take home from this list is that IE 10 is considered as robust as Google Chrome in terms of exploitability reward. This is of course a subjective metric. It would have been interesting to see what the value of IE 10 on Windows 7 would be, but the final version of IE 10 is not available for Windows 7. It’s also a pity that there is no figure for Chrome on OSX Mountain Lion.
The rules of the contest is that each contestant selects a category during pre-registration. The contestant is given a 30 minute slot (not including network setup prerequisites). The successful attack must demonstrate code execution on the target computer with minimal user interaction.
Pwn2Own isn’t doing mobile devices this year, which is a pity as it would be interesting to see the exploitability of iPad/iOS versus Windows RT versus Android.
Find out more about Pwn2Own 2013.