Posted on May 22, 2022 at 7:55 PM
The Pwn2own hacking event in Vancouver has proven that companies need to do a lot more to make their software safe. The event exposed flaws in Ubuntu Desktop, Microsoft Teams, Windows 11, as well as Tesla Model 3 electric car. But one of the fasted successful hacks was the exposure of a vulnerability in Mozilla Firefox. It took only 8 seconds for the browser to be hacked. the hacker explored two critical vulnerabilities in the browser.
The hacker, Manfred Paul, also displayed extreme talent in his profession, after carrying out a lightning-fast double exploit on the browser during the event, which ended on Friday, May 20.
Following his incredibly fast zero-day hack, he was awarded $100,000 from the organizers for his efforts during the opening day of the three-day event. And later the same day he successfully exploited another zero-day on the Apple Safari browser, earning him another $50,000 in the process.
After exploiting the vulnerabilities of Mozilla, the hacker disclosed the successful hack to Mozilla Foundation, with both of the flaws rated as highly significant. The two vulnerabilities are CVE-2022-1529 and CVE-2022-1802, and they are described below.
Users Have Been Assured Of Safety
While the severity of the vulnerability cannot be overemphasized, the users of Microsoft browsers users have been assured that they are at no security risk. This is because, shortly after the hack, the Firefox developers reacted immediately to provide a patch. They were ultra-fast in their response to the vulnerability discovery, probably because their security experts were in-wait and prepared for any exposure during eth competition.
Additionally, Firefox will be updating the browser automatically, and it will appear by default. This means that the update can take place in the background as long as the user is connected to the internet. By now, the update may have been fixed on most browsers, which means many users are safe from any exploit on the said vulnerability.
However, the browser needs to restart before the update can apply. This means that those who have kept their browser running without restarting may not be protected. Also, those who have disabled automatic updates are not going to be protected as well.
Users can allow automatic updates of the browser by going to the top right of the menu and fo to Help!About Firefox.
Before the Pwn2own event, a quick check of the iOS app status shows that it has not been updated.
More Companies Exposed By Security Researchers On The Third Day
The just-concluded Pwn2own revealed that companies have a lot to do when it comes to the security of their software. Security researchers successfully infiltrated Microsoft Windows 11 operating system three more times after the first exposure on the first day of the event.
The first attempt of the day targeted Microsoft Team, but it failed after Team DoubleDragon could not Demo their exploit within the allocated time. But other contestants successfully hacked their targets, receiving $160,000 in the process, after hacking Ubuntu Desktop once and Windows 11 three times.
Nghiadt12 from Viettel Cyber Security was the first hacker to successfully demonstrate a Windows 11 escalation or privilege zero-day, through Integer Overflow. This occurred on the final day of the event.
Vinhthp1712 and Bruno Pujos from REverse Tactics also escalated privileges on Windows 11 through Improper Access Control and Use-After-Free exploit. The third vulnerability exploit was successfully carried out by Billy Jheng Bing-Jhong of STAR Labs after hacking a system running Ubuntu, using a Use-After-Free exploit.
The hacking event in Vancouver featured several hackers, with 17 of them receiving a total reward of $1,155,000 for zero-day exploits.
Hackers earned $800,000 on the first day of the event after they successfully exploiting16 zero-day vulnerabilities to hack several products. On the second day, $195,000 was paid to contestants after they successfully hacked Microsoft Windows 11, Ubuntu Desktop, and Tesla Model 3 Infotainment System.