dimss Posted March 23, 2020 Report Posted March 23, 2020 macOS, Windows 10 and Ubuntu were some of the software that fell to exploits on day 1 of Pwn2Own 2020. A total of $180,000 was up for grabs for 9 bugs in 3 categories, and hackers were able to defeat the security mechanisms in three of the most popular desktop operating systems out there. Due to coronavirus, the annual Pwn2Own event was held virtually, instead of in Vancouver, Canada. The hackers had prepared exploits in advance and sent them to organizers to demonstrate in a live presentation to all participants. Apple’s desktop operating system was targeted through a vulnerability in Safari with a macOS kernel escalation of privilege. The winners were Georgie Tech Systems Software & Security Lab who won $70,000 for their successful exploit, which consisted of six bugs. The team also managed to disable System Integrity Protection on the Mac to show that kernel-level code access execution was acquired. Windows 10 was hacked by Flourescence, a Pwn2Own veteran who used his use-after-free (UAF) bug to gain escalated system privileges in Windows. He won $40,000 for this successful exploit. Ubuntu was hacked by RedRocket CTF team, with a local privilege escalation (LPE) exploit. An improper input validation bug in Ubuntu’s kernel was exploited to gain root access. The successful exploit received $30,000. Lastly, on day 1, Fluoroacetate used another use-after-free bug in Windows 10 to gain system access from a standard user account. This bug was different than the one used by Flourescence. Fluoroacetate received $40,000 for the exploit On day 2, VirtualBox, Adobe Reader on Windows, and VMWare Workstation were hacked by various teams. While the teams behind exploits for VirtualBox and Adobe Reader won $40,000 and $50,000, respectively, the team behind VMWare Workstation hack was unable to demonstrate their exploit in the allotted time. The organizers later confirmed that the bug was valid. All the companies behind these operating systems and software were provided details of the exploits to help them fix the bugs in future updates. The companies are given 90 days to develop security patches. After this time has passed, the bugs are made public. Somehow, neither Android nor iOS were part of any successful exploits this year, which is good news for users. However, as the Pwn2Own exploits show, no platform is 100% safe so it is advised that you follow best practices to keep your data secure. Sursa: Wccftech 1 Quote
Nytro Posted March 23, 2020 Report Posted March 23, 2020 Sume mici pentru realizari mari. Dar probabil e mai mult pentru show-off. Quote
Active Members MrGrj Posted March 24, 2020 Active Members Report Posted March 24, 2020 11 hours ago, Nytro said: Sume mici pentru realizari mari. Dar probabil e mai mult pentru show-off. Sume mici? Si-au batut joc de ei. Daca se duceau pe DW (si nu numai) cu astea... Quote
Nytro Posted March 24, 2020 Report Posted March 24, 2020 Da, probabil nu ii intereseaza banii din moment ce merg acolo... Eu sunt curios ce fac acele firme: au acei 2-3 angajati care fac tot anul research si exploit development, probabil. Si cum fac profit? Acei "bani" sunt frectie, mai ales ca salarii decente in US pleaca de la 150.000$ pe an. Inteleg ca e OK ca marketing, dar nu inteleg complet business-case-ul lor. Quote
Active Members MrGrj Posted March 24, 2020 Active Members Report Posted March 24, 2020 4 hours ago, Nytro said: Da, probabil nu ii intereseaza banii din moment ce merg acolo... Eu sunt curios ce fac acele firme: au acei 2-3 angajati care fac tot anul research si exploit development, probabil. Si cum fac profit? Acei "bani" sunt frectie, mai ales ca salarii decente in US pleaca de la 150.000$ pe an. Inteleg ca e OK ca marketing, dar nu inteleg complet business-case-ul lor. Cel mai probabil sun finantate si sponsorizate de acele firme ca sa gaseasca alea. Quote
Active Members vatman32 Posted March 24, 2020 Active Members Report Posted March 24, 2020 4 hours ago, Nytro said: Da, probabil nu ii intereseaza banii din moment ce merg acolo... Eu sunt curios ce fac acele firme: au acei 2-3 angajati care fac tot anul research si exploit development, probabil. Si cum fac profit? Acei "bani" sunt frectie, mai ales ca salarii decente in US pleaca de la 150.000$ pe an. Inteleg ca e OK ca marketing, dar nu inteleg complet business-case-ul lor. Probabil prin treburile astea isi confera o legitimitate pe piata, castigand in cele din urma contracte grase poate chiar cu companii de Stat si asa mai departe. Quote
