The annual PWN2OWN exploit contest at the CanSecWest conference in Vancouver, British Columbia, Canada, brings together some of the top security talent from across the globe in a friendly competition. For the participants, these events are a platform to demonstrate world-class skills and vie for significant cash prizes. For companies like Microsoft, where we have a large number of teams focused on security, contests like this provide an additional avenue for external input from researchers. It is this community collaboration that led us to partner with Trend Micro/ZDI to sponsor this year’s contest.
Microsoft regularly leverages input from the community using programs such as bug bounties and the BlueHat prize in a relentless pursuit to improve the security of our products and expand our understanding of the latest threats.
Exploit contests are great opportunities as it allows Microsoft engineers to exchange ideas face-to-face with the community. This includes intricate details such as attack approaches, techniques used, and opportunities for improvement against similar attacks. While bug bounty programs focus on vulnerabilities, contests like PWN2OWN focus on exploit chains which typically are only seen in real attacks. The opportunity to understand exploits without impact to customers is invaluable. Microsoft has used this to drive security innovations into the platform and in products like Microsoft Edge. Microsoft sponsored several competition targets running the latest Windows Insider preview builds for on Microsoft Surface devices to help direct the community to gain insight into some of our most important areas. None of the competition targets running the latest Windows Insider previews were successfully exploited by contestants.
To demonstrate the effectiveness of this partnership, Microsoft provided an overview of some of the mitigations influenced by offensive security research community in a recent blackhat presentation.
These innovations include:
- Windows Defender Application Guard which uses virtualization security to protect against kernel-based sandbox attacks
- Control Flow Guard (CFG) and Microsoft Edge’s JIT and code integrity protection, which mitigates many of the common techniques leveraged in past competitions
- Microsoft Edge’s improved sandbox, which reduces previous attack surface by 90%
We believe this engagement with researchers has resulted in durable, real-world protection for customers. As an example, Microsoft Edge has still not been impacted by a zero-day exploit in the wild. In addition, this year’s PWN2OWN entries were not able to escape the Windows Defender Application Guard isolation protection.
Engaging with the research community and creating platforms for transparent information sharing across the wider defender community is a key part of Microsoft’s strategy to keep customers safe. We will continue to push for deeper collaboration through future events and programs.