On the occasion of the famous Pwn2Own 2023 hacking contest in Vancouver, hackers and computer security researchers used and brought to light zero-day flaws on Windows 11, macOS and at Tesla.
Each year, hackers and security researchers from around the world compete at the Pwn2Own. A very important event, especially for manufacturers, since it allows them to test their security systems.
Of course, each new vulnerability discovered and each successful intrusion is rewarded. After having damaged the Galaxy S22 during the Pwn2Own 2022 in Toronto, the participants are invited this year to Vancouver to break the protections of Windows 11, macOS, Ubuntu or Tesla.
The competition opened its doors on March 22, 2023 and will conclude two days later. During the 1st day of competition, the hackers multiplied their efforts to try to win part of the $375,000 at stakeas well as the first prize: a Tesla Model 3.
Tesla, Windows 11 and macOS gave in to hacker attacks
As we can see on the official blog Zero Day Initiative, Adobe Reader was the first to fall in the Enterprise Applications category. Haboob SA’s Abdul Aziz Hariri abused multiple failing patches through a 6-bug logic chain. In the aftermath, the hacker managed to bypass a list of APIs on macOSwhich allowed him to win $50,000 in total.
Next, the STAR Labs team brought to light a zero-day flaw in Microsoft’s SharePoint collaboration platform. Thanks to this feat, the collective won $100,000. But that’s not all since he also managed to hack Ubuntu Desktop via an already known flaw (15,000 dollars more added to the winnings).
Also read: Zoom is victim of a series of flaws that give hackers full access to your PC
On his side, hacker Synacktiv won $100,000 and a Tesla Model 3 after successfully executing a TOCTOU (Time of check of Time to use) attack against Tesla Gateway in the Automotive category. The hacker used the same method to elevate his privileges on macOS. In total, Synactiv walked away with $140,000 and the electric sedan.
Windows 11 was also abused by Marcin Wiazowski, which exploited an improper input validation zero-day flaw. He got $30,000 for his discovery. This Thursday, March 23, 2023, participants were invited to demonstrate zero-day vulnerabilities on Microsoft Teams, Oracle VirtualBox, Tesla Model 3 Infotainment Unconfined Root and Ubuntu Desktop.
