That’s right $20,000 to any hacker that can successfully comprise a windows 7 machine running it’s Chrome Browser via a security vulnerability written in Google-written code and sandbox escape.
CanSecWest’s Pwn2Own Contest is an annual event pitting some of the world’s best security analyst and exploit writers against the most popular web browsers and mobile devices. After last years contest, Google’s Chrome Browser was the only browser left unscathed. Given the money and prizes being offered and obvious publicity involved with successfully comprising the Chrome Browser, chances are good that the cross-hairs are already being lined up on this web browser.
Contest sponsor Tippingpoint ZDI says a successful Chrome hack “must include a sandbox escape”, and be in Google-written code, in order to win the $20,000. On day 2 and 3 if competitors are unsuccessful, they will be allowed to use exploits written in non-Google code to potentially compromise the browser. If they succeed on days 2 and 3 ZDI will offer $10000 for a sandbox escape and Google will offer $10000 for the Chrome bug. In order to fully utilize a sandbox escape the exploit may have to be combined with another vulnerability for full system compromise.
On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.
CanSecWest is also offering cash prizes for anyone using unpublished browser security holes to remotely launch code on Windows 7 or Mac OS X machines.
Browser Targets for this Year:
- Microsoft Internet Explorer
- Apple Safari
- Mozilla Firefox
- Google Chrome
Each browser will be installed on a 64-bit system running the latest version of Windows 7 or Mac OS X.
For mobile devices the attack surface has been increased to allow attack against the cell phones basebands.
Mobile Targets for this Year:
- Dell Venue Pro – Windows 7
- IPhone 4 – iOS
- Blackberry Torch 9800 – Blackberry 6 OS
- Nexus S – Android
A successful attack against these devices must require less to no user interaction and must compromise useful data from the phone. Anything that would cost the owner of the device money, ie: silently calling long-distance numbers, eavesdropping on conversations, etc, is within scope.
The contest is being held the 9th, 10th, and 11th of March, 2011 in Vancouver, BC during the CanSecWest Conference. For more information, registration, or to follow the contest visit TippingPoint ZDI’s website.
Source: TippingPoint ZDI
About the Author
You guys really need to proof read articles, you’re looking very amateur and I mean it in a respectful way. Not only does the author use the word comprise when he is meaning to write ‘compromise’ but then later on he changes it to ‘compromise’ like it should have been to begin with, but then goes and spells it wrong.
It just doesn’t do much for your guys professionalism to have writers who can’t properly write. Makes me want to visit a website with a bit more professionalism on board. I’m sure I’m not the only one who has felt like that.