Jump to content
dimss

macOS, Windows 10 and Ubuntu Hacked at Pwn2Own 2020

Recommended Posts

macOS, Windows 10 and Ubuntu were some of the software that fell to exploits on day 1 of Pwn2Own 2020. A total of $180,000 was up for grabs for 9 bugs in 3 categories, and hackers were able to defeat the security mechanisms in three of the most popular desktop operating systems out there.  Due to coronavirus, the annual Pwn2Own event was held virtually, instead of in Vancouver, Canada. The hackers had prepared exploits in advance and sent them to organizers to demonstrate in a live presentation to all participants.

 

Apple’s desktop operating system was targeted through a vulnerability in Safari with a macOS kernel escalation of privilege. The winners were Georgie Tech Systems Software & Security Lab who won $70,000 for their successful exploit, which consisted of six bugs. The team also managed to disable System Integrity Protection on the Mac to show that kernel-level code access execution was acquired.  Windows 10 was hacked by Flourescence, a Pwn2Own veteran who used his use-after-free (UAF) bug to gain escalated system privileges in Windows. He won $40,000 for this successful exploit.

 

Ubuntu was hacked by RedRocket CTF team, with a local privilege escalation (LPE) exploit. An improper input validation bug in Ubuntu’s kernel was exploited to gain root access. The successful exploit received $30,000.  Lastly, on day 1, Fluoroacetate used another use-after-free bug in Windows 10 to gain system access from a standard user account. This bug was different than the one used by Flourescence. Fluoroacetate received $40,000 for the exploit  On day 2, VirtualBox, Adobe Reader on Windows, and VMWare Workstation were hacked by various teams. While the teams behind exploits for VirtualBox and Adobe Reader won $40,000 and $50,000, respectively, the team behind VMWare Workstation hack was unable to demonstrate their exploit in the allotted time. The organizers later confirmed that the bug was valid.

 

All the companies behind these operating systems and software were provided details of the exploits to help them fix the bugs in future updates. The companies are given 90 days to develop security patches. After this time has passed, the bugs are made public.  Somehow, neither Android nor iOS were part of any successful exploits this year, which is good news for users. However, as the Pwn2Own exploits show, no platform is 100% safe so it is advised that you follow best practices to keep your data secure.

 

 

Sursa: Wccftech

  • Upvote 1
Link to comment
Share on other sites

Da, probabil nu ii intereseaza banii din moment ce merg acolo...

Eu sunt curios ce fac acele firme: au acei 2-3 angajati care fac tot anul research si exploit development, probabil. Si cum fac profit? Acei "bani" sunt frectie, mai ales ca salarii decente in US pleaca de la 150.000$ pe an. 

Inteleg ca e OK ca marketing, dar nu inteleg complet business-case-ul lor. 

Link to comment
Share on other sites

  • Active Members
4 hours ago, Nytro said:

Da, probabil nu ii intereseaza banii din moment ce merg acolo...

Eu sunt curios ce fac acele firme: au acei 2-3 angajati care fac tot anul research si exploit development, probabil. Si cum fac profit? Acei "bani" sunt frectie, mai ales ca salarii decente in US pleaca de la 150.000$ pe an. 

Inteleg ca e OK ca marketing, dar nu inteleg complet business-case-ul lor. 

Cel mai probabil sun finantate si sponsorizate de acele firme ca sa gaseasca alea. :D 

Link to comment
Share on other sites

  • Active Members
4 hours ago, Nytro said:

Da, probabil nu ii intereseaza banii din moment ce merg acolo...

Eu sunt curios ce fac acele firme: au acei 2-3 angajati care fac tot anul research si exploit development, probabil. Si cum fac profit? Acei "bani" sunt frectie, mai ales ca salarii decente in US pleaca de la 150.000$ pe an. 

Inteleg ca e OK ca marketing, dar nu inteleg complet business-case-ul lor. 

Probabil prin treburile astea isi confera o legitimitate pe piata, castigand in cele din urma contracte grase poate chiar cu companii de Stat si asa mai departe.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...