Security researchers are gathering in Vancouver at the CanSecWest conference, in the hope of winning substantial cash prizes for finding exploitable vulnerabilities in the likes of Chrome, Internet Explorer and Java.
The Pwn2Own competition offers more than half a million dollars in cash and prizes for the first person to successful compromise a selected target.
Here’s what’s on the menu:
- Web Browser
- Google Chrome on Windows 7 ($100,000)
- Microsoft Internet Explorer, either
- IE 10 on Windows 8 ($100,000), or
- IE 9 on Windows 7 ($75,000)
- Mozilla Firefox on Windows 7 ($60,000)
- Apple Safari on OS X Mountain Lion ($65,000)
- Web Browser Plug-ins using Internet Explorer 9 on Windows 7
- Adobe Reader XI ($70,000)
- Adobe Flash ($70,000)
- Oracle Java ($20,000)
To make things trickier, the vulnerabilities need to be previously unknown, and computers are running the latest fully patched versions of Windows 7, 8, and OS X Mountain Lion. More information on the Pwn2Own rules can be found here.
Meanwhile at CanSecWest, Google is running its own vulnerability competition – Pwnium 3 – focused on discovering new vulnerabilities in the Chrome operating system.
And the prize money for Pwnium? A cool mega-Pi-sized $3.14159 million.
To have a chance of getting your paws on the money, you will need to pull off an attack against a Samsung S5 550 Chromebook, running the latest version of the Chrome OS. You can also receive prize money if you manage a “browser or system level compromise in guest mode or as a logged-in user, delivered via a webpage” or a “compromise with device persistence – guest to guest with interim reboot, delivered via a webpage.”
It’s clear that the prize money available for finding brand new vulnerabilities in operating systems, browsers and popular plugins is on the rise.
Nonetheless, it’s also apparent that companies like Google will never be able to outbid intelligence agencies who might have a less altruistic interest in collecting information about new ways to exploit computers.
In light of all the attention given to vulnerabilities found at these contests, it’s perhaps no surprise that Google has just patched ten vulnerabilities in its Chrome web browser, bringing it up to version 25.0.1364.152.
Whichever browser or operating system you use, the best way to reduce your chances of becoming a cybercrime statistic is to keep your systems updated with patches, run an up-to-date anti-virus product, and practice safe computing.Follow @gcluley