Find a new way of exploiting Chrome, IE, Java, etc.. and you could win millions of dollars

Filed Under: Adobe, Apple, Apple Safari, Featured, Firefox, Google, Google Chrome, Internet Explorer, Malware, Microsoft, Operating Systems, Oracle, Vulnerability

TargetsSecurity researchers are gathering in Vancouver at the CanSecWest conference, in the hope of winning substantial cash prizes for finding exploitable vulnerabilities in the likes of Chrome, Internet Explorer and Java.

The Pwn2Own competition offers more than half a million dollars in cash and prizes for the first person to successful compromise a selected target.

Here's what's on the menu:

  • Web Browser
    • Google Chrome on Windows 7 ($100,000)
    • Microsoft Internet Explorer, either
      • IE 10 on Windows 8 ($100,000), or
      • IE 9 on Windows 7 ($75,000)
    • Mozilla Firefox on Windows 7 ($60,000)
    • Apple Safari on OS X Mountain Lion ($65,000)
  • Web Browser Plug-ins using Internet Explorer 9 on Windows 7
    • Adobe Reader XI ($70,000)
    • Adobe Flash ($70,000)
    • Oracle Java ($20,000)

To make things trickier, the vulnerabilities need to be previously unknown, and computers are running the latest fully patched versions of Windows 7, 8, and OS X Mountain Lion. More information on the Pwn2Own rules can be found here.

Meanwhile at CanSecWest, Google is running its own vulnerability competition - Pwnium 3 - focused on discovering new vulnerabilities in the Chrome operating system.

And the prize money for Pwnium? A cool mega-Pi-sized $3.14159 million.

To have a chance of getting your paws on the money, you will need to pull off an attack against a Samsung S5 550 Chromebook, running the latest version of the Chrome OS. You can also receive prize money if you manage a "browser or system level compromise in guest mode or as a logged-in user, delivered via a webpage" or a "compromise with device persistence - guest to guest with interim reboot, delivered via a webpage."

Samsung Chromebook

It's clear that the prize money available for finding brand new vulnerabilities in operating systems, browsers and popular plugins is on the rise.

Nonetheless, it's also apparent that companies like Google will never be able to outbid intelligence agencies who might have a less altruistic interest in collecting information about new ways to exploit computers.

In light of all the attention given to vulnerabilities found at these contests, it's perhaps no surprise that Google has just patched ten vulnerabilities in its Chrome web browser, bringing it up to version 25.0.1364.152.

Whichever browser or operating system you use, the best way to reduce your chances of becoming a cybercrime statistic is to keep your systems updated with patches, run an up-to-date anti-virus product, and practice safe computing.

, ,

You might like

2 Responses to Find a new way of exploiting Chrome, IE, Java, etc.. and you could win millions of dollars

  1. Nigel · 904 days ago

    "And the prize money for Pwnium? A cool Pi-sized $3.14159 million.", wouldn't it actually be a cool mega-Pi-sized $3.14159 million?

    Alas...the scourge of having a mathy & sciencey brain that craves semantic's a birth defect. ;)

    • Paul Ducklin · 904 days ago

      It would, and I have incorporated your suggestion into the text.

      Megapi. I like the sound of that.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley