Pwn2Own: full box on Windows 11

Like every year, groups of hackers met in Canada, more precisely in Vancouver, to hack different products in the famous contest, Pwn2Own. And the 2022 edition was a good year: 17 teams earned a total of 1,155,000 from exploit chains and 25 zero-day vulnerabilities discovered in three days of competition. The first day was particularly intense and rewarding with 800,000 dollars reward for the discovery of 16 critical flaws in several solutions (Windows 11, Teams, Ubuntu Desktop, Apple Safari, Oracle Virtualbox and Mozilla Firefox).

Microsoft’s latest OS suffered particularly during the competition with 6 exploits discovered, including three of the “zero day” type. The first corresponds to privilege escalation via Integer Overflow and was found by nghiadt12 of Viettel Cyber ​​Security. The two other flaws are of the Use After Free type (use of unallocated memory) and Improper Access Control, which again grant an elevation of privileges. They were discovered by Bruno Pujos of REverse Tactics and vinhthp1712.

Ubuntu Desktop and Tesla Model 3 targeted

Other systems like Ubuntu Desktop have also been breached. Thus Jheng Bing-Jhong, of STAR Labs used a User After Free exploit to take control of the Linux distribution. Note that weaknesses were found in the entertainment system of a Tesla Model 3. Nothing to do, however, with the announcement by a researcher last week of the remote control of this vehicle via a flaw in the Bluetooth Low Energy (BLE).

After an edition in April devoted to the hacking of industrial systems, the Pwn2Own once again tested the security of IT solutions (browsers, OS, collaborative tools). Unhappy publishers now have 90 days to release patches before Trend Micro’s Zero Day Initiative (contest organizer) does not release details of the flaws.