Now that’s what I call pwning! Both Windows 11 and Microsoft Teams got compromised on the first day of Pwn2Own 2022, an annual hacking event that is being held in Vancouver this year.
To boot, this year marks the 15th anniversary of the prestigious event.
This is a gathering where contestants and cybersecurity experts demonstrate their skills to legally crack into various software and receive rewards and recognition. These wizards make full use of their expertise by utilizing bugs, 0-day exploits, and other issues to break into these applications and services.
And while Microsoft has done a commendable job of ensuring the safety and security of its software, hackers were quick to find new vectors to attack two of its biggest products.
The results reveal that contestants managed to rack up $800,000 in prize money after skillfully using no less than sixteen 0-day bugs to breach multiple software.
Microsoft Teams got served after Hector Peralta used an improper configuration flaw to compromise it, a feat that earned him $150,000 and 15 Master of Pwn points. Masto Kinugawa also put up a solid fight by executing a 3-bug chain of infection, misconfiguration, and sandbox escape.
He also banked $150,000 for his exploits.
Bill Jhang Bing-Jhong, Muhammad Alifa Ramdhan, and Nguyễn Hoàng Thạch of STAR Labs also demonstrated a 0-click exploit chain of 2 bugs.
Windows 11 also got what was coming to it, as a couple of security experts and contestants managed to get through to the operating system despite the security measures put in place to prevent this.
Marcin Wiązowski, for example, made use of an OOB write escalation of privilege on Windows 11 that saw him net $40,000 and 4 Masters of Pwn points. Not to mention recognition and high praise from Microsoft.
Events like this are crucial for Redmond, as it helps organizations like it identify loopholes that hackers and cybercriminals might use to compromise the security of its software, services, and operating systems.
It also allows these companies to come up with measures and fixes.
Oracle VirtualBox, Mozilla Firefox, Ubuntu Desktop, and Apple Safari, among others were products that hackers managed to breach on the opening day of the event.
Good job, everyone!
