There is no safe operating system, platform or program. Yesterday we saw how different groups of hackers, on the first day of the Pwn2Own 2023 competition, managed to expose the security of Windows, macOS, Ubuntu and Adobe, among others. And today, on the second day of the competition, other large platforms have fallen that are putting you in danger.
This week the hacker competition is taking place Pwn2Own 2023, a contest that takes place in Vancouver where the best security experts highlight the security of the main operating systems and programs. This annual competition moves a lot of money, and it has two main objectives: the first one is to gain reputation and recognition within the world of computer security by demonstrating who the best hackers are (and winning important cash prizes), and secondly, report serious security flaws to manufacturers so they can fix them and users of their software can be safe.
All competition takes place within controlled and safe environments, so neither bugs nor exploits can fall into the wrong handsand until the developers fix the vulnerabilities, and it’s been a while since they’ve done so, no technical information is provided.
On the first day of the competition, different groups of hackers managed to break the security of the main operating systems: Windows, macOS and Ubuntu. They also showed that widely used software such as Adobe Reader and Microsoft SharePoint had serious vulnerabilities that could put users’ systems at risk, especially at the enterprise level. And, furthermore, they managed to carry out a computer attack to prove something that we all already knew: that the software of the Tesla Model 3 It has serious security flaws.
Zero Day Initiative
@thezdi
That concludes Day 2 of #P2OVancouver – we awarded $475,000 for 10 unique zero-days today, bringing the total awarded to $850,000! Stay tuned tomorrow for the final day of the competition. #Pwn2Own https://t.co/EtMnP4Ree5
March 24, 2023 • 00:37
Day two of Pwn2Own 2023
On this second day of competition, hacker groups have continued to attack the main targets to demonstrate how they are capable of exploiting their security flaws. In this way, the first to fall, for the second consecutive day, has been Tesla, since the group of hackers has managed to attack again the Infotainment Unconfined Root of the system of these manufacturers, taking home $ 250,000, in addition to a Tesla Model 3.
Zero Day Initiative
@thezdi
CONFIRM! @Synacktiv used a heap overflow & an OOB write to exploit the Infotainment system on the Tesla. When they gave us the details, we determined they actually qualified for a Tier 2 award! They win $250,000 and 25 Master of Pwn points. 1st ever Tier 2 award. Stellar work! https://t.co/IPOnXG5S0u
March 23, 2023 • 22:17
Another of the systems that has fallen again for the second time in a row has been Ubuntu. The leading Linux distro, which boasts so much of being secure, has once again proven otherwise, falling to a privilege escalation exploit that has rewarded the group with $30,000.
Zero Day Initiative
@thezdi
Day 2 wraps up with another success! Tanguy Dubroca (@SidewayRE) from Synacktiv (@Synacktiv) used an incorrect pointer scaling leading to privilege escalation on Ubuntu Desktop. They earn $30,000 and 3 Master of Pwn points. #P2OVancouver #Pwn2Own https://t.co/rtX7tZWqzS
March 24, 2023 • 00:25
The third of the programs that has fallen on this second day of competition has been Oracle VirtualBox, the popular open source operating system virtualization software. Attackers have managed to create an exploit that takes advantage of three bugs in the software to gain privileges within a host with VirtualBox, which has rewarded them with $80,000.
Zero Day Initiative
@thezdi
Success / Collision – Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) from @Synacktiv demonstrated a 3-bug chain against Oracle VirtualBox with a Host EoP. One bug was previously known. They still earn $80,000 and 8 Master of Pwn points. #Pwn2Own #P2OVancouver https://t.co/0vQTFqYrU6
March 23, 2023 • 20:21
VirtualBox has also been affected by a second security flaw, of the Use-After-Free (UAF) type, which has been rewarded with $40,000.
Zero Day Initiative
@thezdi
Success! dungdm (@_piers2) of Team Viettel (@vcslab) used an uninitialized variable and a UAF bug to exploit Oracle VirtualBox. They earn $40,000 and 4 Master of Pwn points. #Pwn2Own #P2OVancouver https://t.co/Swq8lIjeN7
March 23, 2023 • 23:32
And last but not least, Microsoft Teams, the popular messaging program for companies (which is integrated into Windows 11 as well), has also fallen, which has been hacked taking advantage of two exploits rewarding its experts with 75,000 dollars.
Zero Day Initiative
@thezdi
Success! @hoangnx99, @rskvp93, and @_q5ca from Team Viettel (@vcslab) used a 2-bug chain in their attempt against Microsoft Teams. They earn $75,000 and 8 Master of Pwn points. https://t.co/1dq4ofM6bS
March 23, 2023 • 20:59
In total, this second day of competition has rewarded the researchers with $475,000. And there is still a third day of competition. Who will fall on the last day of Pwn2Own 2023? We will see soon.