• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Network   »   Pwn2Own 2016 – Trend Micro TippingPoint DVLabs Exclusive Zero Day Coverage!

Pwn2Own 2016 – Trend Micro TippingPoint DVLabs Exclusive Zero Day Coverage!

  • Posted on:March 21, 2016
  • Posted in:Network, Security
  • Posted by:
    Steve Povolny
0
What exactly is being sold within the North American Underground?

Less than 48 hours ago, I was sitting on a plane watching the movie “Blackhat,” and crying a little on the inside every time another hacker cliché or security buzzword was used. I suppose I should give the writers some credit as they clearly made an attempt to learn something about the industry and apply it in the film. Overall though, it was just about as cringe-worthy as my wife (a PICU nurse) tells me she feels when watching ER or Grey’s Anatomy. Anyway, flash-forward to the last couple of days where we saw the real world of hacking at CanSecWest’s annual Pwn2Own contest. Granted, if you filmed this and tried to sell it to the masses (even with Chris Hemsworth), it would probably gross less revenue than “Zyzzyx Road“. All that aside, for those of us lucky enough to have chosen this industry, it’s been another groundbreaking year for InfoSec.

One exciting change for DVLabs and the Zero Day Initiative (ZDI) is Trend Micro’s strategic acquisition of TippingPoint. Though our parent company has changed, our process has stayed relatively the same. At Pwn2Own, DVLabs has the unique opportunity of sitting directly with some of the top ethical hackers in the world to learn the cutting-edge techniques demonstrated live at the contest. After working with the ZDI to confirm the bugs, we analyze the techniques and immediately start the filter development process. The upcoming Digital Vaccine package, available next Tuesday March 22nd, will contain filters for ALL of the network-exploitable vulnerabilities used in the competition.

Over the years, a few things have changed at this benchmark hacking contest. Vendors are now more aggressive with their mitigations prior to Pwn2Own, and ZDI has upped the ante required to achieve a successful attack. This has resulted in increases in both the number of vulnerabilities required for exploitation as well as the complexity of techniques used. The malicious hackers are also out there, constantly developing similar attack vectors and using them to exploit a wide range of victims. For Trend Micro TippingPoint customers, this means the virtual patch story is even more relevant than ever. The filters that will be released in next week’s DV package provide exclusive coverage not only for the vulnerabilities shown during the contest, but also for the security mitigation bypass techniques.

Pwn2Own featured five contestants this year, exploiting over 20 vulnerabilities in the most ubiquitous products in the world. The targets included Microsoft Edge, Google Chrome, Apple Safari and Adobe Flash with extra incentives for SYSTEM or ROOT level privileges. Mozilla’s Firefox browser was intentionally dropped from the competition due to its complete lack of a sandbox, a critical security feature which raises the bar for exploitation.

Although nearly one fourth of the total attempts failed this year, I’m happy to report that each of the targets were successfully owned, with the exception of a late addition “unicorn” category, the VMWare escape – though we did hear rumors that next year some of the contestants were planning on bringing an exploit. The 2016 contest featured a new point-based system, awarding incremental points for the number and complexity of bugs used to achieve code execution. The following table demonstrated the point values and the clear winner at the end of two packed days was the Tencent Security Team Sniper.

steve blog

 

If you are a current TippingPoint customer and subscribe to automatic DV updates, you will see the filters come through in your next package update, searchable by the text “Pwn2Own” in the filter name field. Expanded details for the filters will be available once ZDI discloses the vulnerabilities, pending vendor patches. Until then, these filters are the sole method of defeating exploitation of some of the most impactful zero-days we’ve ever seen.

Congratulations to all of the contestants with a special shout out to the sole winner Tencent Security Team Sniper!

Related posts:

  1. TippingPoint DVLabs Provides Exclusive Security Coverage for Mobile Pwn2Own 0Day Vulnerabilities
  2. After Pwn2Own 2016: Focused Customer Protection
  3. TippingPoint Threat Intelligence and Zero-Day Coverage – Week of March 21, 2016
  4. Trend Micro Welcomes TippingPoint, DVLabs and the Zero Day Initiative

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.