Date: Wed, 10 Jan 2007 12:27:08 -0500
From: contributor <Contributor@...fense.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: iDefense Q-1 2007 Challenge

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Also available at:

 http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+challenge

*Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities in
Vista & IE 7.0*

Both Microsoft Internet Explorer and Microsoft Windows dominate their
respective markets, and it is not surprising that the decision to
update to the current release of Internet Explorer 7.0 and/or Windows
Vista is fraught with uncertainty.  Primary in the minds of IT
security professionals is the question of vulnerabilities that may be
present in these two groundbreaking products.

To help assuage this uncertainty, iDefense Labs is pleased to announce
the Q1, 2007 quarterly challenge.

Remote Arbitrary Code Execution Vulnerabilities in Vista and IE 7.0

Vulnerability Challenge:
iDefense will pay $8,000 for each submitted vulnerability that allows
an attacker to remotely exploit and execute arbitrary code on either
of these two products.  Only the first submission for a given
vulnerability will qualify for the award, and iDefense will award no
more than six payments of $8000.  If more than six submissions
qualify, the earliest six submissions (based on submission date and
time) will receive the award.  The iDefense Team at VeriSign will be
responsible for making the final determination of whether or not a
submission qualifies for the award.  The criteria for this phase of
the challenge are:

I) Technologies Covered:
- -    Microsoft Internet Explorer 7.0
- -    Microsoft Windows Vista

II) Vulnerability Challenge Ground Rules:
- -    The vulnerability must be remotely exploitable and must allow
arbitrary code execution in a default installation of one of the
technologies listed above
- -    The vulnerability must exist in the latest version of the
affected technology with all available patches/upgrades applied
- -    'RC' (Release candidate), 'Beta', 'Technology Preview' and
similar versions of the listed technologies are not included in this
challenge
- -    The vulnerability must be original and not previously disclosed
either publicly or to the vendor by another party
- -    The vulnerability cannot be caused by or require any additional
third party software installed on the target system
- -    The vulnerability must not require additional social engineering
beyond browsing a malicious site

Working Exploit Challenge:
In addition to the $8000 award for the submitted vulnerability,
iDefense will pay from $2000 to $4000 for working exploit code that
exploits the submitted vulnerability.  The arbitrary code execution
must be of an uploaded non-malicious payload.  Submission of a
malicious payload is grounds for disqualification from this phase of
the challenge.

I) Technologies Covered:
- -    Microsoft Internet Explorer 7.0
- -    Microsoft Windows Vista

II) Working Exploit Challenge Ground Rules:
Working exploit code must be for the submitted vulnerability only –
iDefense will not consider exploit code for existing vulnerabilities
or new vulnerabilities submitted by others.  iDefense will consider
one and only one working exploit for each original vulnerability
submitted.

The minimum award for a working exploit is $2000.  In addition to the
base award, additional amounts up to $4000 may be awarded based upon:
- -    Reliability of the exploit
- -    Quality of the exploit code
- -    Readability of the exploit code
- -    Documentation of the exploit code


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU
QkO9IXq+PsC6bMKg7j6Dwfw=
=N0am
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists