…No, I spelled the headline right. HP has intelligently crafted a way to position themselves at the forefront of web browser security by attaching themselves to the PWN2OWN competition in Vancouver, B.C. Part of the CanSecWest2013 conference, PWN2OWN is an open invite for hackers to make a name for themselves under the public eye(which, under normal circumstances– not such a bright idea).
Let’s delve into the concept of pwnage to better understand PWN2OWN. Pwn is a slang term coined by the most recent generation of computer gamers and developers to describe the act of dominating something; derived originally from a typo, hitting the letter ‘p’ instead of ‘o’. This quickly caught on in the gaming community and shows no signs of slowing down. Fast forward to the CanSecWest conference, and we have our newest competition: pwn any one of the four major web browsers out now, complete with full updates and patches, and win the very machine that you hacked into. Usually, this involves directing the browser to untrusted web content, and finding a way to inject and run arbitrary executable code from there. It is worth reading the official rules to better understand the groundrules for this effort.
This excerpt gets right to the point:
“The targets will be running on the latest, fully patched version of Windows 7, 8, and OS X Mountain Lion. All targets will be installed in their default configurations. The vulnerabilities utilised in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win.”
In 2013, the rules have been amended to require responsible disclosure of the method used in order to manipulate whatever vulnerability you’ve found:
“Upon successful demonstration of the exploit, the contestant will provide Sponsor a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all of the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prizes.”
The caveat of this competition involves HPs direct involvement with those exploit techniques, allowing them the liberty of not only patching the software, but building a knowledgebase out of the findings, possibly to further its growth in the IT Security sector. Google is involved in this as well, offering an undisclosed amount to the prize fund, to fatten the pockets of those in the ‘know’. This relationship is reflected in the prize purse, as Chrome hacks fetch the highest amount(alont with IE 10 on Windows 8).
Nobody said it would be easy.