Now that’s what I call pwning! Both Windows 11 and Microsoft Teams were compromised on the first day of Pwn2Own 2022, an annual hacking event being held in Vancouver this year.
To boot, this year marks the 15th anniversary of the prestigious event.
This is a gathering where contestants and cybersecurity experts demonstrate their skills to crack into various software legally and receive rewards and recognition. These wizards make full use of their expertise by utilizing bugs, 0-day exploits, and other issues to break into these applications and services.
And while Microsoft has done a commendable job of ensuring the safety and security of its software, hackers were quick to find new vectors to attack two of its biggest products.
The results reveal that contestants managed to rack up $800,000 in prize money after skillfully using at least sixteen zero-day bugs to breach multiple software programs.
Microsoft Teams got served after Hector Peralta used an improper configuration flaw to compromise it, a feat that earned him $150,000 and 15 Master of Pwn points. Masto Kinugawa also put up a solid fight by executing a 3-bug chain of infection, misconfiguration, and sandbox escape.
He also banked $150,000 for his exploits.
Bill Jhang Bing-Jhong, Muhammad Alifa Ramdhan, and Nguyễn Hoà ng Thạch of STAR Labs also demonstrated a 0-click exploit chain of 2 bugs.
Windows 11 also got what was coming to it, as a couple of security experts and contestants managed to access the operating system despite the security measures put in place to prevent this.
Marcin WiÄ…zowski, for example, used an OOB write escalation of privilege on Windows 11 that netted him $40,000 and 4 Masters of Pwn points, not to mention recognition and high praise from Microsoft.
Events like this are crucial for Redmond, as it helps organizations like it identify loopholes that hackers and cybercriminals might use to compromise the security of its software, services, and operating systems.
It also allows these companies to come up with measures and fixes.
Hackers managed to breach Oracle VirtualBox, Mozilla Firefox, Ubuntu Desktop, and Apple Safari, among others, on the opening day of the event.
Good job, everyone!