Pwn2Own 2017 – An Event for the Ages

March 23, 2017 | Brian Gorenc

The 10th anniversary of Pwn2Own just successfully completed as the Zero Day Initiative spent $833,000 acquiring 51 different 0-day bugs. The event was filled with drama as vendors released their security patches the day before the contest, causing a number of entries to pull out immediately. Over the next three days, five additional entries would withdraw for various reasons, two would be disqualified, and three would fail. One of the entries withdrawn could have potentially impacted the Master of Pwn – the title we award to the overall winner of the contest. Still, 19 different times researchers showed us something we haven’t seen before. In two of those occasions, they showed us how the right sequence of code takes them from a guest on a virtual machine to executing code on the host.

After 10 years, it’s important to take a step back and see if the contest still matters. Of course, numerous things have changed over the last decade, but have those changes been positive? In the beginning, the focus of Pwn2Own centered on web browsers and operating systems. These targets remain relevant, as evidenced by multiple security patches from Google, Microsoft, and Mozilla immediately preceding the contest. The difficulty of compromising these browsers increased over the years too. A single bug no longer cuts it. Several exploits must be strung together to not just exploit the browser, researchers also need to escape a sandbox and, in some cases, escalate to elevated privileges. Pwn2Own didn’t force all of these improved security features in web browsers, but it does serve as an annual checkup on the state of browser security.

And while the browser may be considered the gateway to the cloud by many, virtual machines comprise the backbone of the cloud. We introduced the concept of virtual machine escapes last year, and this year we saw two successful demonstrations. We saw Microsoft and VMware release big security patches leading up to the contest. While no one attempted to exploit Hyper-V this year, its inclusion in Pwn2Own certainly encouraged Microsoft to release patches prior to the contest. VMware released two separate patches the week before the contest after not patching for several months. Pwn2Own certainly influenced browser security over the years. Hopefully a similar effect will be felt in the virtual machine space.

New categories for 2017 included Enterprise Applications and Elevation of Privilege categories. Again, patches for Office and Windows came out just before the contest. These categories have some big brand names that draw interest, but more than that, they are common targets for malware and ransomware. This year’s contest received 14 different bugs in these categories, and once the vendors patch them, there will be 14 fewer ways for ransomware to affect you.

The contestants have changed over the years, as well. Years ago, individual researchers made up the majority of entries. This year saw several teams sponsored by their employers participating. These teams take not only the research seriously, but earning the title Master of Pwn too. There have been instances of teams filing bug reports with vendors prior to the contest in the hopes of killing competitor’s exploits. So not only has Pwn2Own become a team sport, there’s now defense involved as well. But the individual researcher contestants still exist, and in some ways, they’re even more impressive than the teams. The independent researcher must code all aspects of the bug chain on their own. Those who have successful demonstrations take home not just the laptop and cash but usually a few job offers too. Wins at Pwn2Own don’t exactly make a career, but it certainly highlights talent and solidifies reputations.

Would movement towards more secure software like this happen without Pwn2Own? Possibly, but Pwn2Own serves as an annual forcing function for vendors. It’s an annual assessment of the state of security as we pit the best vendors have to offer against some of the best security researchers in the world. The contest has evolved as the industry has evolved, and it’s through this evolution that the contest remains significant. The future of Pwn2Own has yet to be written, but rest assured that ZDI will continue to monitor the landscape to see what products will most benefit from inclusion in the contest.