At pwn2Own This Time, VMware Virtual Machines Will Challenge Hackers
Steadily, the Pwn2Own hacker contest has become an important fixture in the world of testing the security of software applications, operating systems and hardware devices. In fact, it’s now widely followed by major technology companies and technologists of all stripes. The competition exposes just how vulnerable the browsers that we all live in all day really are.
The competition takes place at the CanSecWest security conference, and it will return in March, with a few surprises. One of the surprises this time around is that contestants can win a $75,00 prize for escaping a VMware virtual machine.
In this year's contest, exposing vulnerabilities in Google Chrome or Microsoft Edge will earn contestants $65,000, while exploiting Apple Safari on the Mac earns $40,000. Pulling off system-level access on Windows or root access on Mac OS X will earn $20,000.
And, according to organizers:
"This year, Hewlett Packard Enterprise, Trend Micro, and the Zero Day Initiative partner to bring the annual Pwn2Own to Vancouver with a new twist to the rules to keep things interesting....The Windows-based targets will be running on a VMware Workstation virtual machine. A $75K bonus will be given to those who can escape the VMware virtual machine. This is our first year including VMware as a target, and we look forward to seeing what researchers will do with it."
"The 2016 competition consists of four of the most popular, and most targeted, software platforms in the world. All target machines will be running the latest fully-patched versions of the relevant operating systems (Windows 10 64-bit and OS X “El Capitan”), installed in their default configurations. As in last year’s competition, the exploit must work with Microsoft’s Enhanced Mitigation Experience Toolkit (most current version compatible with the target) protections enabled."
Why do companies like HP sponsor Pwn2Own? The answer is that they can benefit from getting key vulnerabilities uncovered at the contest patched.
Each of the vulnerabilities exploited will be privately disclosed to the software builders in question so that patches can be delivered.
The Pwn2Own competition is truly widely watched by technology companies, and individuals should keep track of the annual results as well. We will follow up in March with a report on the winning hacks.