TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... The ZDI has published over 1100 high-risk vulnerabilities since the inception of the program.

Pwn2Own 2009

TippingPoint's Zero Day Initiative (ZDI) team is pleased to announce that we will once again be sponsoring this year’s Pwn2Own contest for the 3rd year running. The contest will be held during the CanSecWest Security Conference March 16-20th in Vancouver, BC.

If you’re unfamiliar with the Pwn2Own contest, check out the rules and results from last year

This year’s contest will target two sets of technologies: web browsers and mobile devices.  As usual, the ZDI will purchase all winning vulnerabilities that are submitted against these targets, hand them over to the affected vendors, and coordinate public disclosure

Rules

The browser targets will be IE8, Firefox, and Chrome installed on a Sony Vaio running Windows 7 as well as Safari and Firefox installed on a Macbook running Mac OS X.  All browsers will be fully patched and in their default configuration as of the first day of the contest. The mobile device targets will include fully patched BlackBerry, Android, iPhone, Symbian and Windows Mobile phones in their default configurations. A full list of available interfaces will be made available on the CanSecWest website under the Pwn2Own rules.

To participate in the contest, you can choose either or both technologies and must generally prove successful code execution.  A contestant may only win one prize per flaw (e.g. if he is able to pwn a browser and a mobile device using the same flaw, he has to choose one to go after). Winning entries against the browsers include exploits which require no user interaction outside of a single click on a malicious link.  Winning scenarios against the mobile devices include attacks that can be exploited via email, SMS text, website browsing and other general actions a normal user would take while using the device.  Physical access will not be granted to the mobile devices, and proving successful exploitation of one of the mobile devices will be verified by our team of hardware hacker judges on the ground at the event.  

Prizes

The Zero Day Initiative will put up $5000 per browser bug, and $10,000 per mobile bug. The first person to crack any of the mobile devices will also get to keep that device along with a one year phone contract.  The first person to crack any of the browsers will get to keep the laptop it was running on.  All winners will be asked to sign and agree to the general ZDI Non Disclosure Agreement, and the bugs will be turned over directly to the affected vendors.

If more than 5 people win prizes, we will offer additional “Bonus” prizes of an extra $5,000 that will be awarded this year for Most Interesting Browser flaw, Most Interesting Mobile Device Flaw, and Best in Show.

As with the last two years, we will be posting updates and the final results from the contest on our blog.  Check back soon!

Tags: cansecwest,pwn2own
Published On: 2009-02-25 00:09:15

Comments post a comment

  1. fearphage commented on 2009-02-25 @ 14:58

    Any reason Opera was left out of the browser competition? Just curious.

  2. ZDI Team commented on 2009-02-25 @ 16:10

    @fearphage: Based on market share we only accept Internet Explorer and Firefox vulnerabilities through the ZDI. For the sake of this competition we included Chrome and Safari due to their default presence on various mobile platforms.

  3. Chas4 commented on 2009-02-25 @ 21:44

    Why are you using a beta version of Windows in the contest?

    Opera has a much higher usage in other parts of the world
    http://my.opera.com/FataL/blog/2008/12/08/russia-and-ukraine-browser-usage-statistics-chart-2006-2008

  4. Marshel007 commented on 2009-02-26 @ 02:13

    How about if the vulnerability was in windows 7 itself not the web browser, would that still count?

  5. fearphage commented on 2009-02-26 @ 05:13

    It sounds like your argument is that the surface area of Opera is small. My rebuttal:

    Opera is the default browser on the Nintendo's Wii, DS and DSi. Opera is also integrated/preinstalled by default into Adobe Creative Suite 2, a number of set top boxes, and all UIQ 3 phones. Virtually all mobile phones (that aren't the iphone) can run Opera in some capacity (native or java-based).

    http://www.opera.com/company/investors/finance/2008/corp_pres.pdf has quite a few devices listed that Opera is the default on.

    Opera mini is still the most widely used mobile browser on the market and they are teaming up with Yahoo to push the mobile platform even farther (http://yhoo.client.shareholder.com/press/releasedetail.cfm?ReleaseID=365403). The surface area of Opera's mobile offering is definitely greater than that of its competitors at present. I don't fault you for not knowing this though.

  6. ZDI Team commented on 2009-02-26 @ 13:58

    @Chas4: The underlying version of Windows won't have a significant impact on the browser exploitation. With that said we chose Windows 7 / IE8 as the platform since both are slated for release this year. Additionally, we know from experience that chances are a bug affecting IE8 will also affect IE7.

    @Marshel007: For the purposes of this contest we will not be considering OS vulnerabilities. However, you are welcome to submit such vulnerabilities through our Zero Day Initiative (http://www.zerodayinitiative.com).

    @fearphage: We have nothing against Opera ;-) As mentioned previously we only accept Firefox and IE bugs through the ZDI. Chrome and Safari were added as they are default installs on the mobile platforms we chose.

  7. Type-ZERO commented on 2009-02-27 @ 18:35

    I think it's hard to argue not having Opera in the mix, seeing as it's the only true cross platform browser, I think it would be a more interesting candidate. Also with the addition of mobile devices, Opera is found there as well.


    Opera:
    - Windows 32/64bit (XP/Vista)
    - Mac OS X
    - Linux 32/64bit (RedHat/Debian)
    - Opera Mobile (Java Enabled Phones/Blackberry's)
    - Opera Mini
    - Nintendo Wii

    Doesn't seem right to not have Opera there.

  8. RPW commented on 2009-03-02 @ 17:40

    I'd like to have a little bit more detail on the Symbian and the Windows Mobile configurations. What versions/feature packs will you be offering here? Heck, I don't even know what Symbian variant I should be targetting? I presume S60, Symbian OS 9.4, but you're not explicitly saying. Also, it would be very nice to know which specific devices. It's not as you can easily Q&A such things across multiple vendors on a whim.

  9. Anonymous commented on 2009-03-03 @ 02:38

    Can you participate in this from a remote location?

  10. ZDI Team commented on 2009-03-03 @ 12:28

    Remote entries into the contest are unfortunately not allowed. If you can't make it to the conference but have a friend on the floor, you may collaborate with him/her to get your entry in.

    Also, you can always submit your bug to the Zero Day Initiative for payment outside of this contest.

  11. ToothFaerie commented on 2009-03-05 @ 03:52

    Total laugh, if like me you are not dull enough to use Firefox or IE (Safari, Chrome, avant Blah Blah Blah) then the only browser that is trying to be all things to all men should and must be there to show the way to the others. If I remember right Opera is the only browser that is so user orientated and as such should make a great competitor to the hackers and the browser market.

    Shame Opera not there but is this more because it is so hard to break? Who know and will ever know if one of the big players is left out. Sad very sad.

  12. Shun commented on 2009-03-06 @ 03:41

    Will popular add-ons such as Flash and Java be installed or enabled ?

    Is it possible to win the laptop without disclosing the vulnerability to ZDI ?

  13. Anonymous commented on 2009-03-07 @ 11:19

    @ZDI Team

    "Based on market share we only accept Internet Explorer and Firefox vulnerabilities through the ZDI."

    How do you know what the market share is? It's impossible to measure, after all.

    Opera has more than 35 million users on the desktop. Is that not sufficient?

  14. RPW commented on 2009-03-10 @ 07:32

    OK. Let me get this straight. You're willing to pony up 10k USD for each and every bug in one of those devices that leads to remote code execution? Even if I have multiple exploits per platform? What about multiple remotely exploitable bugs per binary?

  15. Anonymous commented on 2009-03-19 @ 16:17

    Which version of IE and Safari were used? IE's Beta 2 or Release Candidate 1? Safari 4 beta??

  16. Pax commented on 2009-03-20 @ 15:14

    Seriously guys... not including Opera makes this test useless. I'm using Firefox now not because it's a better or more secure browser, but because of the plugin features (plus available toolbars).

    Tech guy to techGuys... You can rationalize your selections all you want but Opera deserves better than the explanations given and you know this.

  17. Vlatko commented on 2009-03-20 @ 22:41

    @ZDI Team - Either though I don't like or use Opera I don't think it's fair to include Safari and exclude Opera.
    Give it a fair chance to the benefit of the users!

  18. Anonymous commented on 2009-03-24 @ 16:19

    One can easily say that you've included Chrome just because of Google and not because of it being the default browser on mobile platforms. Chrome has a below 1% share and you dare say that Opera is a low market share??? Maybe you should be more careful at next year choice...

  19. Steve commented on 2009-03-30 @ 09:19

    @Phearpage,

    While Opera may be a decent browser, you need to accept that it is irrelevant. Statistics from actual usage from sites like Net Applications peg Opera's market share at less than 1%. Chrome for example has been out for a very short amount of time and has already more than doubled Opera's market share.

    You mention the Nintendo devices as evidence of some sort. Yes, Opera may come standard on many devices, but these devices are not used as browser devices. Nobody buys a Wii to surf the net. As for Adobe, they've given up on Opera and are moving to Webkit for their browser engine. Even in the mobile space where Opera has it's last chance at success, the best phones have moved to Webkit (iPhone, Android phones and even the upcoming Palm Pre).

    Again, I'm not knocking Opera, it's a decent browser, but it's not as popular as you seem to think and whether you're on the desktop or a mobile device, there are better alternatives.

  20. ben2talk commented on 2009-09-19 @ 23:15

    Interesting - I use Opera, Chromium, Firefox, and Epiphany browsers.

    I would like to know why you ignored Opera, which has been one of the very best browsers (for much of the last 4 years I would say the best, shadowed only by Firefox's add-ons library).

    Is this a sponsored gig?

  21. Anonymous commented on 2010-01-14 @ 04:50

    It looks that Google payed to have no Opera on the contest.

    See what kind of notes we can find in the internet about this contest: Google Chrome is the best, but can be hacked like Safarin in 10 sec. Of course if you will read the notes between the lines.

    So GOOGLE PAYED FOR THAT!


Links To This Post

  1. Apple 2.0 » Blog Archive » White hat hackers target the iPhone
    linked on 2009-02-26 @ 14:37 Show Comment

    Hackers and computer security experts gathering on March 18 in Vancouver, British Columbia, for the third annual Pwn2Own contest will be targeting five smartphones: an Apple (AAPL) iPhone, a Research in Motion (RIMM) BlackBerry and phones running on Google’s (GOOG) Android, Microsoft’s (MSFT) Windows Mobile and Nokia’s (NOK) Symbian operating systems.

  2. Want To Make $10,000 with iPhone? | iPhoneNess
    linked on 2009-02-26 @ 06:53 Show Comment

    But if you don’t want to develop iPhone applications, why not just hack iPhone? Pwn2Own 2009 gives you the opportunity to win $10,000 for finding flaws in iPhone’s security system. Now I am not a hacker, but it does sound like a good way to make money without actually doing something illegal. Ethical hacking has been around for years. Now, you can get paid for your efforts. And the competition is not limited just to the iPhone, so if you are a hacker, you have plenty of options to choose from. Good luck!

  3. PWN2OWN hat das iPhone im Blick « Mac » Freak
    linked on 2009-02-26 @ 15:48 Show Comment

    Die Regeln für den Wettbewerb dieses Jahr hat der Sponsor Tipping Point, Zero Day Initiative (ZDI) veröffentlicht. Im vergangenen Jahr wurde überraschend schnell Mac OS X 10.5.2 geknackt. Warten wir ab, wer dieses Jahr bei den Smartphones als erster fällt.

  4. If you can hack an iPhone, you can win $10,000!
    linked on 2009-02-26 @ 12:03 Show Comment

    If you think you have what it takes to hack your way into a mobile phone from afar, the Pwn2Own competition might be worth your time. Find out more here.

  5. Hack an iPhone, win 10 grand at Pwn2Own
    linked on 2009-02-26 @ 21:42 Show Comment

    Pwn2Own, a sort of Gray Hat extravaganza, is going to be cracking browsers and phones for the third year in a row this March. It’ll go from the 16th to the 20th and thousands of dollars in prizes. Many will enter, few will pwn.

  6. Apple 2.0 » Blog Archive » White hat hackers target the iPhone
    linked on 2009-02-26 @ 21:55 Show Comment

    Hackers and computer security experts gathering on March 18 in Vancouver, British Columbia, for the third annual Pwn2Own contest will be targeting five smartphones: an Apple (AAPL) iPhone, a Research in Motion (RIMM) BlackBerry and phones running on Google’s (GOOG) Android, Microsoft’s (MSFT) Windows Mobile and Nokia’s (NOK) Symbian operating systems.

  7. Hacking contest offers $10,000 for iPhone exploit | Opencosmo Security
    linked on 2009-02-27 @ 00:26 Show Comment

    The contest will present contestants with phones running the Android, Symbian, and Windows Mobile operating systems as well a BlackBerry and an iPhone. To qualify for the $10,000 prize, hackers must submit exploits that work against email, SMS test, website browsing, and “other general actions a normal user would take while using the device,” according to these rules published 3Com’s TippingPoint unit, the competition’s sponsor. All devices will be fully patched.

  8. Pwn2Own: Mobile Plattformen im Fadenkreuz
    linked on 2009-02-27 @ 00:31 Show Comment

    Auf der Computersicherheits-Konferenz CanSecWest, die einmal jährlich in Vancouver abgehalten wird, findet auch diesen Frühling wieder der Pwn2Own-Wettbewerb statt. Zwischen dem 16. und 20. März darf für den Kopfgeldbetrag von 10.000 US-Dollar auf Mobilfunkplattformen und für 5.000 US-Dollar auf Webbrowser eingeschlagen eingehackt werden.

  9. Pwn2Own hacker: Apple Safari is 'easy pickings' | Zero Day | ZDNet.com
    linked on 2009-03-03 @ 11:09 Show Comment

    This year’s contest will pit hackers against browsers and smart phones with Internet Explorer, Firefox, Safari, Opera and Chrome among the high-profile targets.  It will also include attacks against fully patched BlackBerry, Android, iPhone, Symbian and Windows Mobile phones in their default configurations.


Trackback