Pwn2Own 2023 has been the new edition of the most important hacking contest in the world. It is held annually in Vancouver and its objective is the same as that of its creation: find critical vulnerabilities in a controlled environment so that providers improve the security of their developments before they can be exploited.
For this, the participants agree to deliver all the research privately and not make it public in a minimum period of 90 days. In return, in the contest organized by Trend Micro’s Zero Day Initiative, the firms hand out juicy prizes. A good investment taking into account that this event has the participation of the best white hat hackers on the planet and high-level security researchers who anticipate what can come from cybercrime, reinforcing the security of software, devices and ultimately life virtually all of us.
Pwn2Own 2023, nothing resists
If in its beginnings this event was limited to the security of operating systems and their web browsers, today it includes other important categories such as virtualization, servers, applications and business communications, as well as an automotive category that began with Teslas as protagonists and which has returned in this edition due to the importance that autonomous driving and the connected car will acquire in the future.
As a premiere for this year, the macOS system has been added in the Local Privilege Escalation category and DNS (vital for the operation of the Internet and cloud computing) in the server category.
This year’s edition has not been different from the previous ones and practically no type of software has resisted. The contestants revealed 27 Critical Zero-Day Failures (unknown vulnerabilities with no fix) and won a total of just over a million dollars and a Tesla Model 3.
Already on the first day, the main test operating systems were hacked, Windows 11, macOS and Ubuntu Desktop. The infotainment system of the aforementioned Tesla Model 3 was also compromised (winning the car itself), a chain of zero-day exploits targeting Microsoft SharePoint, a successful attack on Adobe Reader, and another against Oracle’s VirtualBox virtual machine.
Virtualization is a very important technique in today’s computing and the giant VMware returned to the event as a sponsor. WMware Workstation software was hacked on the last day of the contest, as was a fully patched Windows 11 and Ubuntu Desktop that was compromised by three different teams. Note that the Synacktiv team was declared the Master of PWN winning by a lot, more than half a million dollars and a Tesla Model 3 car.
The Pwn2Own 2023 organization will publicly disclose all discovered bugs after 90 days and regardless of patch status. A reasonable period to solve the vulnerabilities, but that at the same time also obliges the software providers to some extent. Always interesting this type of contests where great hackers show their level and help improve computer security.
