Pwn2Own 2022 has been the new edition of the most important hacking contest on the planet. The event is held annually and its objective is find critical vulnerabilities in a controlled environment for vendors to improve the security of their developments before flaws can be exploited.
And it is that the participants, the best hackers of White hat of the planet and researchers from the big security firms, commit to deliver all the research privately and not make it public for a minimum period of 90 days. In exchange, the contest, organized by the Zero Day Initiative of Trend Micro, delivers succulent prizes in what is considered a great investment for what it means to anticipate what may come from cybercrime, thereby reinforcing the security of software and devices.
Pwn2Own 2022: nobody resists
As in previous years, the list of hacked software is as broad as the targets attacked (21 products in various categories) and neither open source nor proprietary software is spared. Windows 11, Microsoft Teams, Oracle VirtualBox, Mozilla Firefox, Apple Safari, Ubuntu Desktop or Tesla cars, were successfully hacked by various teams during the three days of the event.
Windows 11, the latest Microsoft system, has been one of the preferred targets by researchers and they showed six successful exploits, three of them Zero-Day vulnerabilities. Among the most interesting, they highlighted an escalation of privileges using Integer Overflow techniques (buffer overflow) and another using the Use-After-Free attack that takes advantage of errors in the memory address to cause denial of service and code execution, achieving total control. of the team.
This same exploit was used by two groups to hack into a system running Ubuntu Desktop. It is a well-documented attack that exploits vulnerabilities in the way applications manage memory. Three zero-days were also revealed in the Microsoft Teams communication platform and various vulnerabilities in the Apple Safari and Mozilla Firefox browsers or the Oracle Virtualbox virtualization software.
The infotainment system of Tesla 3 cars was also hacked. The automotive category was premiered at Pwn2Own 2019, as it was considered an important segment in the face of the rise of smart/autonomous cars. Back then, a researcher used a JIT bug in the web browser’s rendering process to execute code in the car’s firmware and display a message on the car’s infotainment system. He took the car that Tesla gave away as a prize.
In total, the Pwn2Own 2022 has awarded 1.2 million dollars in prizes. After the vulnerabilities are exploited and disclosed in a controlled manner in the event software and hardware vendors have 90 days to release security fixes of all reported vulnerabilities.
More information on Pwn2Own 2022 | Zero Day Initiative