HomeWinBuzzer NewsHackers Win Big at Pwn2Own 2024, Exposing Flaws in Windows 11, Tesla,...

Hackers Win Big at Pwn2Own 2024, Exposing Flaws in Windows 11, Tesla, and More

Pwn2Own Vancouver exposed critical security holes in Tesla, Windows 11, and popular software. Hackers won big for finding zero-day exploits

-

The Pwn2Own Vancouver 2024 competition has commenced, showcasing a series of significant cybersecurity vulnerabilities across a range of technology products, including Windows 11, Tesla vehicles, and Ubuntu Linux. The event, which is a focal point for cybersecurity experts worldwide, has already seen participants win a total of $732,500 and a Tesla Model 3 car for their disclosures of zero-day vulnerabilities and exploit chains. Among the notable achievements, the team from Synacktiv stood out by securing a Tesla Model 3 and $200,000 for their swift hack into a Tesla ECU using an integer overflow vulnerability.

Highlighted Exploits and Awards

The competition’s first day featured a variety of targets and innovative exploitation techniques. Abdul Aziz Hariri of Haboob SA earned $50,000 for exploiting Adobe Reader on macOS through an API restriction bypass and a command injection bug. Theori’s security researchers, Gwangun Jung and Junoh Lee, demonstrated a remarkable escape from a VMware Workstation VM to gain SYSTEM-level execution on the host Windows OS, earning them $130,000. This exploit involved a chain of vulnerabilities including an uninitialized variable bug, a use-after-free (UAF) weakness, and a heap-based buffer overflow.

Additional exploits were demonstrated against virtualization software and web browsers. Reverse Tactics’ duo, Bruno PUJOS and Corentin BAYET, exploited Oracle VirtualBox vulnerabilities alongside a Windows UAF bug to escape a VM and achieve SYSTEM privileges, netting $90,000. Manfred Paul successfully targeted Apple Safari, Google Chrome, and Microsoft Edge web browsers using three zero-day vulnerabilities, earning $102,500 for his efforts.

Future Implications and Upcoming Challenges

Following the demonstration of zero-days at Pwn2Own, vendors are given a 90-day period to develop and release security patches for the reported flaws, after which Trend Micro’s Zero Day Initiative will publicly disclose them. The competition continues with participants set to target a range of products including Windows 11, VMware Workstation, Oracle VirtualBox, Mozilla Firefox, Ubuntu Desktop, Google Chrome, Docker Desktop, and Microsoft Edge. With over $1,300,000 in prizes, including

Last Updated on November 7, 2024 9:36 pm CET

Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
Mastodon