Pwn2Own 2009: Browsers and smart phones are targets

Type threatpost
Reporter Ryan Naraine
Modified 2013-04-17T16:39:37


TippingPoint’s Zero Day Initiative has released the rules for this year’s CanSecWest PWN2OWN contest, which will target unpatched flaws in Web browsers and mobile devices.

Among the target list this year: Microsoft’s Internet Explorer 8, Apple’s Safari, Google’s Chrome, Windows Mobile, Google Android, BlackBerry, iPhone and Symbian.

The rules:

The browser targets will be IE8, Firefox, and Chrome installed on a Sony Vaio running Windows 7 as well as Safari and Firefox installed on a Macbook running Mac OS X. All browsers will be fully patched and in their default configuration as of the first day of the contest. The mobile device targets will include fully patched BlackBerry, Android, iPhone, Symbian and Windows Mobile phones in their default configurations. A full list of available interfaces will be made available on the CanSecWest website under the Pwn2Own rules.

To participate in the contest, you can choose either or both technologies and must generally prove successful code execution. A contestant may only win one prize per flaw (e.g. if he is able to pwn a browser and a mobile device using the same flaw, he has to choose one to go after). Winning entries against the browsers include exploits which require no user interaction outside of a single click on a malicious link. Winning scenarios against the mobile devices include attacks that can be exploited via email, SMS text, website browsing and other general actions a normal user would take while using the device. Physical access will not be granted to the mobile devices, and proving successful exploitation of one of the mobile devices will be verified by our team of hardware hacker judges on the ground at the event.

There will be a $5000 per browser bug, and $10,000 per mobile bug. The first person to crack any of the mobile devices will also get to keep that device along with a one year phone contract. The first person to crack any of the browsers will get to keep the laptop it was running on.