Pwn2Own witnessed hackers defeating the security of not just Windows 10, but also macOS and Ubuntu – all on the very first day.
Due to the coronavirus outbreak, the big hacking event was held with all those involved participating remotely – with their exploits prepared in advance – rather than in Vancouver as is usually the case (as part of the CanSecWest security conference).
As to the specifics, Windows 10 was hacked by Flourescence, leveraging a use-after-free (memory corruption) bug to get escalated system privileges, which earned a cool $40,000 (around £34,000, AU$68,000).
It was double trouble for Windows 10 as Microsoft’s operating system also came a cropper with another (different) use-after-free vulnerability demonstrated by team Fluoroacetate, which was again worth $40,000 (around £34,000, AU$68,000).
If that name rings a bell, that’s because Fluoroacetate exploited a vulnerability in Tesla’s in-car browser at Pwn2Own last year, which earned them one of the electric cars as well as a ton of prize money: $375,000 (around £320,000, AU$635,000), in fact.
When it came to macOS this year, that was punished through the Safari web browser, with escalation of privileges achieved via six different vulnerabilities – with a resulting payout of $70,000 (around £60,000, AU$120,000).
And it was the RedRocket CTF team which defeated Ubuntu’s security with a local privilege escalation exploit via an input validation bug in the Ubuntu kernel, which earned them $30,000 (around £26,000, AU$50,000).
Other victims followed after day one, unsurprisingly, including Adobe Reader on Windows, VMWare Workstation and VirtualBox, all of which were successfully exploited.
The idea, of course, is that with these security holes pointed out, developers can then fix them before they are actually exploited for nefarious means in the wild.
What about mobile platforms? Interestingly there were no victories for the hackers against the big mobile operating systems this time around, with Android and iOS coming away unscathed. Furthermore, Tesla wasn’t troubled by the hackers this year, either.