This year the competition will have two main technology targets. In keeping with tradition the first portion of the event will attempt to bring to light the current security posture of market-leading web browser and operating system pairings. The multifaceted web browser continues to occupy a critical presence on the client-side attack surface. As Adobe, Google, and an estimated 30 other companies affected in the Aurora incident can attest to, the security posture of these products merits a yearly public evaluation by the research community at large.
The second portion of Pwn2Own 2010 offers bounties for vulnerabilities affecting mobile phones. The increased presence and capabilities of smart phones has brought with it the same security issues and attention traditionally reserved for non hand-held platforms. Vulnerabilities in parsing media, dynamic web content, e-mail, and other client-side issues have been in the past. Additionally, many of the communication protocols that mobile phones implement are the focus of a burgeoning field of security research (ex: , , ). The data stored and communicated across these devices is increasing in value to attackers.
Pwn2Own will be held over the course of three days starting on March 24th with the browser and the mobile contests running concurrently. To register for the competition, send us an e-mail at ZDI@tippingpoint.com. Competitors will be assigned a random half hour time slot.
This blog entry will be updated frequently and serve as the main point of information dissemination. Additionally, you can get real-time updates and provide real-time feedback via our ZDI Twitter account .
Please direct all press inquiries to: Jennifer Lake <jlake@tippingpoint.com>
$40,000 of the total $100,000 cash prize pool is allotted to the web browser portion of the contest, each target is worth $10,000. The browser targets this year will include the latest versions of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari.
To highlight the efficacy of operating system level protections we have structured the ZDI bonus point amounts to reflect the difficulty of exploitation. Once a target has been successfully compromised it will be removed from the competition. Thus, a successful day one attack on a specific browser must overcome the latest and greatest flagship operating system with all exploit mitigations activated in their default state.
Day 1
The target pairings for day one are:- Microsoft Internet Explorer 8 on Windows 7
- Mozilla Firefox 3 on Windows 7
- Google Chrome 4 on Windows 7
- Apple Safari 4 on MacOS X Snow Leopard
Day 2
- Microsoft Internet Explorer 7 on Windows Vista
- Mozilla Firefox 3 on Windows Vista
- Google Chrome 4 on Windows Vista
- Apple Safari 4 on MacOS X Snow Leopard
Day 3
- Microsoft Internet Explorer 7 on Windows XP
- Mozilla Firefox 3 on Windows XP
- Google Chrome 4 on Windows XP
- Apple Safari 4 on MacOS X Snow Leopard
$60,000 of the total $100,000 cash prize pool is allotted to the mobile phone portion of the contest, each target is worth $15,000. A successful hack on these targets must result in code execution with little to no user-interaction. Expect updates on the rules as the contest approaches. The current target list is as follows:
- Apple iPhone 3GS
- RIM Blackberry Bold 9700
- A Nokia device running Symbian S60 (likely the E62)
- A Motorola phone running Android (likely the Droid)
Any non remote code execution entries accepted by the judges reduces the point giveaway to 9,999 ZDI which puts the competitor just one ZDI submission away from Bronze standing for the year ;-)
Happy hunting
