They are found in Windows 11, Edge, Chrome and Safari, among others. The on-board electronics of a Tesla Model 3 are also hacked, which gives two security researchers a new Tesla under the motto “Pwn2Own”.
The Zero Day Initiative has published the first results of the annual hacker competition Pwn2Own. On the first day of the event, security researchers presented as a whole 19 previously unknown security vulnerabilities. For this they received prize money totaling $732,500. Now manufacturers such as Adobe, Google, Microsoft and VMware, among others, have to eliminate some highly critical vulnerabilities in their products.
At the start of the competition, a Haboob SA employee executed arbitrary code through a vulnerability in Adobe Reader by combining two vulnerabilities in the PDF application. That earned him $50,000. The Devcore Research Team also linked several errors and achieved an unauthorized extension of user rights under Windows 11 – and a reward of 30,000 dollars.
An exploit for a use-after-free bug in Google Chrome was worth even more at $60,000. An employee of the Kaist Hacking Lab collected the money. Two of Theori’s employees received more than twice as much – $130,000. They also put together a chain of multiple vulnerabilities that allowed them to execute code from a virtual machine on a VMware Workstation host system.
Two Reverse Tactics employees achieved the same thing using Oracle VirtualBox on Windows. They executed the code with system rights, which was rewarded with $90,000. The highest amount of the day went to the Synacktiv team for cracking the CAN BUS of a Tesla Model 3. Not only did they win $200,000, they also won a new Tesla Model 3 as a bonus.
Later in the day, successful attacks on Ubuntu Linux, Apple Safari, Oracle Virtual Box, Google Chrome and Microsoft Edge were demonstrated. Presentations for vulnerabilities in Windows 11, VMware Workstation, Oracle VirtualBox, Mozilla Firefox, Ubuntu Linux, Google Chrome, Docker Desktop and Microsoft Edge are announced for today’s second day of Pwn2Own 2024.