Articles Pwn2Own ended 2021. Windows 10, Ubuntu, Safari, Chrome, Zoom...

Pwn2Own ended 2021. Windows 10, Ubuntu, Safari, Chrome, Zoom and more were successfully jailbroken


The largest hacking competition – the spring Pwn2Own 2021 – has ended. This time it all ended in a three-way draw between Team Devcore and OV, as well as the duo of cybersecurity experts Daan Keuper and Thijs Alkemade from Computest. All three teams finished the competition with 20 points each.

In total, over three days, Pwn2Own members earned $ 1,210,000. Detailed results can be found on the Trend Micro Zero Day Initiative (ZDI) blog.

Under normal circumstances, the event is held as part of the CanSecWest conference in Canada, but due to the coronavirus pandemic this year, Pwn2Own was held online again, like the spring and fall Pwn2Own last year. To this end, the organizers published a list of suitable targets back in January  , and several teams applied for participation, a total of 23 hacks planned for ten different products from the list. The teams had 15 minutes to launch the exploit and execute remote code inside the target application. For each exploit that worked, participants received a cash prize from the sponsors of the competition and points for the tournament table.

Spring Pwn2Own 2021, as usual, lasted three days, and you can see the streams below. As a result of the competition, Windows 10, Ubuntu, Safari, Chrome, Zoom, Microsoft Exchange, Microsoft Teams and Parallels Desktop were successfully compromised. Interestingly, none of this year’s entrants attempted to hack into the Tesla Model 3 car provided in the competition. The last time a car was hacked was in 2019.

The most impressive and dangerous compromise of this year by cybersecurity experts unambiguously recognized the Zoom hack, which does not require user interaction, demonstrated by Daan Köper and Tiis Alkemade of Computest. This exploit earned the experts $ 200,000.

The exploit is known to combine three vulnerabilities at once and works on the latest versions of Windows 10 and Zoom. In the researchers’ demo, the victim simply received an invitation to a meeting from the attacker and didn’t even need to click anywhere: the malicious code was executed automatically. Since the vulnerabilities have not yet been patched, the technical details of the attack are still kept secret, but below you can see what it looked like.

The attack works against Windows and Mac versions of Zoom, but has not yet been tested on iOS or Android. Zoom developers have already told the media that they are working to fix the problem and thanked the experts for their work.

“We take security very seriously and appreciate Computest’s research. We are working to resolve this issue in Zoom Chat, our group messaging product. This issue does not affect in-session chat in Zoom Meetings and Zoom Video Webinars. In addition, the attack must come from an accepted external contact or be part of the account of the same organization. Zoom recommends that users only accept requests to add to contacts from people they know and trust, ”the developers say.

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you