HomeWinBuzzer NewsHackers Win Big at Pwn2Own 2024, Exposing Flaws in Windows 11, Tesla,...

Hackers Win Big at Pwn2Own 2024, Exposing Flaws in Windows 11, Tesla, and More

Pwn2Own Vancouver exposed critical security holes in Tesla, Windows 11, and popular software. Hackers won big for finding zero-day exploits

-

The Pwn2Own Vancouver 2024 competition has commenced, showcasing a series of significant cybersecurity vulnerabilities across a range of technology products, including , vehicles, and Ubuntu . The event, which is a focal point for experts worldwide, has already seen participants win a total of $732,500 and a Tesla Model 3 car for their disclosures of zero-day vulnerabilities and exploit chains. Among the notable achievements, the team from Synacktiv stood out by securing a Tesla Model 3 and $200,000 for their swift hack into a Tesla ECU using an integer overflow vulnerability.

Highlighted Exploits and Awards

The competition's first day featured a variety of targets and innovative exploitation techniques. Abdul Aziz Hariri of Haboob SA earned $50,000 for exploiting Adobe Reader on macOS through an API restriction bypass and a command injection bug. Theori's security researchers, Gwangun Jung and Junoh Lee, demonstrated a remarkable escape from a VMware Workstation VM to gain SYSTEM-level execution on the host Windows OS, earning them $130,000. This exploit involved a chain of vulnerabilities including an uninitialized variable bug, a use-after-free (UAF) weakness, and a heap-based buffer overflow.

Additional exploits were demonstrated against virtualization software and web browsers. Reverse Tactics' duo, Bruno PUJOS and Corentin BAYET, exploited Oracle VirtualBox vulnerabilities alongside a Windows UAF bug to escape a VM and achieve SYSTEM privileges, netting $90,000. Manfred Paul successfully targeted Safari, Chrome, and Edge web browsers using three zero-day vulnerabilities, earning $102,500 for his efforts.

Future Implications and Upcoming Challenges

Following the demonstration of zero-days at Pwn2Own, vendors are given a 90-day period to develop and release security patches for the reported flaws, after which Trend Micro's Zero Day Initiative will publicly disclose them. The competition continues with participants set to target a range of products including Windows 11, VMware Workstation, Oracle VirtualBox, Mozilla Firefox, Ubuntu Desktop, Google Chrome, Docker Desktop, and Microsoft Edge. With over $1,300,000 in prizes, including

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.
Mastodon