Archive for May 22, 2022

Pwn2Own Wraps Up With Microsoft Windows, Teams, Apple, Firefox, Ubuntu & Tesla Getting Pwned

Posted in Commentary with tags , on May 22, 2022 by itnerd

Pwn2Own was held over the last three days in Vancouver and Trend Micro who put on the contest handed out $1,115,000 to those who managed to expose a zero day or more. And in terms of what got pwned, here’s a list:

The contest awarded a total of $1,155,000 this year, and the biggest payouts were for serious exploits against Microsoft’s Teams utility. While Teams isn’t technically a part of Windows, it does come bundled with all new installs of Windows 11, which means that these exploits are practically Windows exploits. Hector “p3rr0” Peralta, Masato Kinugawa, and STAR Labs each earned $150,000 for major exploits of the utility.

Windows 11 itself wasn’t spared, though. Marcin Wiązowski and STAR Labs each earned $40,000 for privilege escalation exploits on Microsoft’s operating system on day one, and on day two, TO found a similar bug for a $40,000 payout of his own. Day three saw no less than three more fresh exploits against Windows 11, all in the serious privilege escalation category; all three winners pocketed another $40,000.

As far as the Tesla Model 3 goes, Synacktiv were able to demonstrate a sandbox escape exploit on the car’s infotainment system. That could allow an attacker to take control of the car’s built-in computer and, given another couple of clever exploits, could feasibly be the first step toward a remote attacker taking control of the car’s autopilot system. The group earned $75,000 for the bug.

Other targets attacked at Pwn2Own 2022 included Mozilla Firefox (hacked), Apple Safari (hacked), and Ubuntu Desktop (hacked).

There were a few failed hacks, but details on those hacks have not been made public. But Trend Micro does have a blog post that describes the successful hacks that’s worth reading.

Expect a big dump of software updates from those who got pwned shortly.