Google has fixed another zero-day vulnerability in the Chrome browser, which was exploited at the Pwn2Own hacking contest. This high-severity security flaw, tracked as CVE-2024-3159, allowed remote attackers to gain access to sensitive information or trigger a crash. Google has also recently fixed two other zero-day vulnerabilities targeted at Pwn2Own Vancouver 2024, and in total, has patched four Chrome zero-days this year.
Google fixed two zero-day vulnerabilities in the Chrome web browser that were exploited during the Pwn2Own Vancouver 2024 hacking competition, addressing high-severity weaknesses in the WebAssembly and WebCodecs API. Mozilla also patched two Firefox zero-days exploited at the same event. The competition concluded with security researchers earning $1,132,500 for demonstrating 29 zero-day exploits and exploit chains over two days, with Manfred Paul emerging as the winner after taking down Apple Safari, Google Chrome, and Microsoft Edge web browsers.
Mozilla has swiftly patched two zero-day vulnerabilities in Firefox that were exploited during the Pwn2Own Vancouver 2024 hacking competition, preventing potential remote code execution attacks. The vulnerabilities allowed for out-of-bounds write and privileged JavaScript execution, and were fixed in Firefox 124.0.1 and Firefox ESR 115.9.1. Manfred Paul earned $100,000 and 10 Master of Pwn points for exploiting the flaws, and also successfully hacked Apple Safari, Google Chrome, and Microsoft Edge during the competition.
VMware has released security updates to fix two zero-day vulnerabilities that were part of an exploit chain demonstrated by security researchers at the Pwn2Own Vancouver 2023 hacking contest. The vulnerabilities could be chained to gain code execution on systems running unpatched versions of VMware's Workstation and Fusion software hypervisors. VMware has also addressed two more security flaws affecting its hosted hypervisors and shared temporary workarounds for admins who cannot immediately deploy patches.
A team of hackers from French security shop Synacktiv won $100,000 and a Tesla Model 3 after subverting the car's entertainment system and opening up its core management systems at the annual Pwn2Own competition. Twitter's source code was leaked online, and the company is asking GitHub to identify who posted the code and anyone who downloaded it. The Office of Inspector General found that Login.gov misled its customers and other government agencies by telling them that it complied with NIST standards.
On the final day of the Pwn2Own hacking contest, security researchers earned $185,000 by demonstrating five zero-day exploits targeting Windows 11, Ubuntu Desktop, and VMware Workstation. Ubuntu Desktop was hacked three times by three different teams, with three working zero-day exploits. A fully patched Windows 11 system was also hacked, and the STAR Labs team used an exploit chain against VMware Workstation. In total, 27 zero-day exploits were demoed during the three-day event, with Synacktiv earning $530,000 and a Tesla Model 3 car for their exploits. Vendors have 90 days to patch the bugs before technical details are publicly released.
Tesla's Model 3 was successfully hacked at the Pwn2Own conference, with the hackers winning $100,000 and the car they compromised. The hackers gained root access to Tesla's system and claimed to have taken over the whole car through a TOCTTOU exploit. Tesla has been investing heavily in cybersecurity and working with whitehat hackers to make their products more secure. The findings of these hacks are shared with the companies to help improve their security.
The first day of the Pwn2Own 2023 hacking contest saw five participants win a total of $375,000 by finding 12 zero-day vulnerabilities in popular software platforms and a Tesla Model 3 car. Offensive security firm Synacktiv won the most money and a Tesla Model 3 by compromising the car with a TOCTOU attack and escaping access privileges on macOS. The STAR Labs team won second place by targeting Microsoft SharePoint and successfully hacking the Ubuntu Desktop operating system. The Zero Day Initiative will disclose the details of the zero-day vulnerabilities to their respective software vendors, who will have 90 days to release security patches.
Competitors at Pwn2Own Vancouver 2023 successfully exploited 10 zero-day vulnerabilities in products such as Tesla Model 3, Microsoft Teams, Oracle VirtualBox, and Ubuntu Desktop, earning a total of $475,000. Synacktiv's David Berard and Vincent Dehors won $250,000 and a Tesla Model 3 after hacking the Tesla Infotainment Unconfined Root. The vendors have 90 days to patch the vulnerabilities before they are publicly disclosed. The contest offers a total prize of $1,080,000 and two Tesla Model 3 cars.
A group of hackers successfully hacked a Tesla Model 3 and won the vehicle along with a $100,000 prize at the Pwn2Own hacking competition. The hackers used a TOCTOU exploit to gain access to the vehicle, which involves altering internal files to gain system access. The details of how the hack was performed have not been made entirely public to avoid a security risk for Tesla owners. As electric vehicles and their significant amount of integrated software have become more common in everyday life, the security around them has become significantly more critical.
On the first day of Pwn2Own Vancouver 2023, security researchers successfully hacked Tesla Model 3, Windows 11, and macOS using zero-day exploits and exploit chains, earning $375,000 and a Tesla Model 3. Other products hacked include Adobe Reader, Microsoft SharePoint, Ubuntu Desktop, and Oracle VirtualBox. The contest will continue for three days, with contestants targeting products in various categories. After the vulnerabilities are disclosed, vendors have 90 days to release security fixes before they are publicly disclosed.
