Research teams at the Pwn2Own 2020 competition successfully exploited 13 software vulnerabilities this past week, including bugs found in products from Adobe, Apple, Microsoft, Oracle and Ubuntu. Participants earned $270,000 over the two-day event -- the first Pwn2Own ever to be held virtually, as a measure to combat the rapid spread of the novel coronavirus.
Richard Zhu and Amat Cama of Fluoroacetate repeated from last year and were once again crowned Masters of Pwn. On day one, the team demonstrated a use-after-free (UAF) bug in Microsoft Windows and exploited it to escalate privileges to SYSTEM. The next day, they paired UAF bugs in Windows and Adobe Reader to once again elevate to SYSTEM.
Other highlights included the chaining of six bugs to produce a macOS kernel escalation of privilege in Apple Safari, another Windows UAF flaw allowing the escalation of privileges to SYSTEM, a local privilege escalation in Ubuntu Desktop, and a two-bug combination in Oracle VirtualBox that enabled code execution on the host OS from the guest OS. Unofficially, the event also featured one additional flaw in VMware Workstation and another in Oracle VirtualBox, although they did not count toward the competition.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.