CanSecWest There’s US$75,000 up for grabs to hackers who compromise VMware’s hypervisor software in an upgraded Pwn2Own contest next month.
The next challenge represents a significant boost to the difficulty of the hacking competition in which popular hardware and software products are publicly flayed by cyber-security gurus.
The Vancouver, Canada, event – to be held on March 16 this year – invites hackers to exploit zero-day vulnerabilities in widely used code, such as Apple’s Safari browser, Google’s Chrome browser, or Adobe Flash, and win tens of thousands of dollars in prizes for doing so.
Hewlett Packard Enterprise’s vulnerability research manager Brian Gorenc (@maliciousinput) says the HP-run event will now include the option to pop VMware on Windows.
“Since its inception in 2007, Pwn2Own has increased the challenge level at each new competition, and this year is no different,” Gorenc says.
“While the latest browsers from Google, Microsoft, and Apple are still targets, the Windows-based targets will be running on a VMware Workstation virtual machine [and] a US$75,000 bonus will be given to those who can escape the VMware virtual machine.
“This is our first year including VMware as a target, and we look forward to seeing what researchers will do with it.”
The contest will be reworked so that winners are those with the highest overall points accrued through successful exploits. Those who escape Windows VMware (US$75,000) will grab the maximum 13 points, while hosing Chrome (US$65,000) or Microsoft Edge (US$65,000) will earn 10 points.
Adobe asset Flash in Edge (US$60,000) and OS-X Safari (US$40,000) attract eight and six points, while system escalation, root escalation, and target sandbox (US$20,000) escapes earn five, four, and three points respectively.
Contestants will need to consider how the Wassenaar Arrangement may affect them.
Hewlett Packard canned last year’s MobilePwn2Own contest in December allegedly due to the Arrangment. The Japan hackerfest went ahead anyway and enjoyed success despite the fact that some hackers stayed home for fear of breaching the global disparate arms control system.
It is, however, generally said that Western nations do not intend to target white hat researchers. ®
Building secure multi-factor authentication