There’s money in computer exploits – both from those who create them and those who want to plug them.
In the latter camp Hewlett-Packard is offering US$150,000 at the CanSecWest 2014 conference in Vancouver next month.
It’s part of HP’s annual Pwn2Own contest, with the Grand Prize a multiple component test that includes finding a way to bypass Microsoft’s Enhanced Migration Experience Toolkit (EMET) protections on a PC with 64-bit Windows 8.1 on Internet Explorer 11.
It’s dubbed the Exploit Unicorn.
There are a few conditions to win the 150K: The initial vulnerability utilized in the attack must be in the browser. Then the browser’s memory sandbox must be bypassed using a vulnerability in the sandbox. A separate privilege escalation vulnerability must be used to obtain SYSTEM-level arbitrary code execution on the target. The exploit must work when Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) protections are enabled.
And it has to be done within 30 minutes.
Why EMET? In a blog Angela Gunn of HP writes that Microsoft is now encouraging the general public to use it, especially when a new attack is in progress.
“With EMET carrying that kind of burden of protection, researchers are getting more interested in testing its limits, and our Grand Prize reflects that. We may not have any successful contestants, but security researchers thrive on insanely difficult challenges; we’re excited to provide one.”
For those not brave enough to take that challenge, there are two other categories: Browsers (break one of that latest versions of Chrome, Explorer 11, FireFox or Safari)’ and Plug-ins (defeat security on Adobe Reader, Adobe Flash or Oracle Java.
The vulnerability or vulnerabilities used in each attack must be unknown and not previously reported to the vendor. A particular vulnerability can only be used once across all categories.
Cash prizes are awarded for each. In total nearly $750,000 in cash and prizes are available.
CanSecWest runs March 12-14 at the Sheraton Wall Centre hotel.