Security researchers meet in Vancouver, hack through popular applications and operating systems – and pocket cash prizes.
In the Pwn2Own hacking competition, security researchers try to attack software via previously unknown security gaps (zero days) within a set time frame. At the current edition in Vancouver, many well-known software and systems fell on the second day.
According to the first information from the organizers of Trend Micro’s Zero Day Initiative, the participants on the second of three days have already received 485,000 US dollars pocketed in prize money. So far, the communication software teams from Microsoft had to believe it three times. In one case, a security researcher was able to connect three bugs together to eventually break out of the sandbox. This achievement alone triggered a $150,000 bounty.
Successful Attacks on Ubuntu and Windows
Out of four attempts to attack Windows 11, three attempts were successful by the second day of the competition. A participant was able to obtain higher user rights by provoking a memory error (out-of-bounds). That was worth $40,000, and on top of that, there was kudos from Microsoft for the accompanying white paper.
The Linux distribution Ubuntu Desktop got it three times. The descriptions of the attacks read as if the security researchers could have executed malicious code. Something like this is considered the supreme discipline. After such an attack, attackers usually completely compromise systems.
The participants also used Apple’s Safari, Firefox and Oracle Virtualbox successfully attacked. In addition, breaking out of the sandbox system from the infotainment system of a Tesla Model 3 was possible. Another attempt to hack a Tesla model failed because the timer expired.
Software makers now have 90 days to provide security updates. As a rule, however, the patches appear earlier.
[UPDATE 20.05.2022 1:10 p.m.]
Attacked Ubuntu version specified in the running text.