The Zero Day Initiative team is having the annual Pwn2Own contest later this week, March 9th, 10th, and 11th of 2011 in Vancouver. The contest always seems to be an interesting spectacle – seeing how fast certain systems are compromised, learning how companies respond to the vulnerability disclosures, and seeing patches come out up to the very last minute. The targets this year will be 4 popular web browsers and 4 mobile devices.
Here is the Cliff Notes version of the contest:
Browers
This year the web browser targets will be the latest release candidate (at the time of the contest) of the following products:
- Microsoft Internet Explorer
- Apple Safari
- Mozilla Firefox
- Google Chrome
Each browser will be installed on a 64-bit system running the latest version of either OS X or Windows 7.
A successful hack of IE, Safari, or Firefox will net the competitor a $15,000 USD cash prize, the laptop itself, and 20,000 ZDI reward points which immediately qualifies them for Silver standing. Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions in 2011, 25% reward point bonus on all ZDI submissions in 2011 and paid travel and registration to attend the DEFCON Conference in Las Vegas.
As for Chrome, the contest will be a two-part one. On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.
Mobile Devices
The following are the target mobile devices for the contest:
- Dell Venue Pro running Windows 7
- iPhone 4 running iOS
- Blackberry Torch 9800 running Blackberry 6 OS
- Nexus S running Android
As mentioned previously, we’ve upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000 USD. While HP TippingPoint is funding $105,000 of that, we’ve partnered with Google who has generously offered up $20,000 to the researcher who can best their Chrome browser.
Interestingly, an RF enclosure box will be used for the mobile targets as there seems to be the possibility that the Canadian version of the FCC could use that as a reason to stop the contest.
A successful compromise of any of these targets will win the contestant a cash prize of $15,000 USD, the device itself, and 20,000 ZDI reward points which immediately qualifies them for Silver standing. Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions in 2011, 25% reward point bonus on all ZDI submissions in 2011 and paid travel and registration to attend the DEFCON Conference in Las Vegas.
You can find out the full details and rules of the contest at http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011 where updates and winners will also be posted once the contest begins on Wednesday.
For real-time updates of the contest you can follow either @thezdi or @AaronPortnoy on Twitter or search for the hashtag #pwn2own.
For this information in a format that will be readable to a more general audience, check out this story from the Morning Marketplace Report.