$1.5 million is up for grabs in prize money during Pwn2Own 2021 and so far researchers have found vulnerabilities across numerous popular services. Among them are Apple’s Safar browser, Microsoft Exchange, Windows, Ubuntu, Google Chrome, and Microsoft Edge. Some of the vulnerabilities found include flaws that would lead to problems for Web Browsers, Servers, Enterprise Communication tools, and more.
Microsoft Vulnerabilities
There were problems found across a range of Microsoft services. Starting with Microsoft Exchange, the DEVCORE research teams found an authentication bypass and local privilege escalation flaw that would allow them to take over a server. On Windows 10, Team Viettel found a hole in Windows 10 security by using an integer overflow to escalate privileges for regular users to SYSTEM wide privileges. Palo Alto Networks researcher Tao Yan leveraged a Race Condition bug to create SYSTEM privileges on a Windows 10 machine that was fully patched. A researcher known as OV targeted Microsoft Teams with two bugs that show how a code execution attack could happen. On Microsoft Edge and Google Chrome (both sharing the Chromium engine) with a Typer Mismatch bug that allows an attack on the browsers.
Flaws on Other Services
RET2 Systems’ Jack Date found a vulnerability in Apple’s Safari web browser. By using an integer overflow, he was able to use a OOB Write to access kernel-level code on the browser. A Zoom vulnerability was found by Daan Keuper and Thijs Alkemade from Computest. Specifically, a three bug chain for the messenger app that allows a code execution to hit the system. Interestingly, the victim would not need to click anything to initiate the attack. You can check out the Pwn2Own event on YouTube, Twitch, and the conference site here. Tip of the day: Having problems with pop-ups and unwanted programs in Windows 10? Try the hidden adware blocker of Windows Defender. We show you how to turn it on in just a few steps.