Biggest Targets at Pwn2Own Event: Microsoft's Windows, Teams, and Ubuntu Desktop

As Pwn2Own Vancouver comes to a close, a whopping $1,115,000 has been awarded by Trend Micro and Zero Day Initiative. The 15th anniversary edition saw 17 "contestants" attacking 21 targets, reports Hot Hardware — though "the biggest payouts were for serious exploits against Microsoft's Teams utility." While Teams isn't technically a part of Windows, it does come bundled with all new installs of Windows 11, which means that these exploits are practically Windows exploits. Hector "p3rr0" Peralta, Masato Kinugawa, and STAR Labs each earned $150,000 for major exploits of the utility.

Windows 11 itself wasn't spared, though. Marcin Wiazowski and STAR Labs each earned $40,000 for privilege escalation exploits on Microsoft's operating system on day one, and on day two, TO found a similar bug for a $40,000 payout of his own. Day three saw no less than three more fresh exploits against Windows 11, all in the serious privilege escalation category; all three winners pocketed another $40,000....

Other targets attacked at Pwn2Own 2022 included Mozilla Firefox (hacked), Apple Safari (hacked), and Ubuntu Desktop (hacked)... Of course, details of the hacks aren't made public, because they're zero-days, after all. That means that they haven't been patched yet, so releasing details of the exploits could allow malicious actors to make use of the bugs. Details will be revealed 3 months from now, during which time Microsoft, Tesla, Apple, and others should have their software all sewn up.
With all the points totalled, the winner was Singapore-based cybersecurity company Star Labs, which was officially crowned "Master of Pwn" on Saturday. "They won $270,000 and 27 points during the contest," explains the official Twitter feed for Zero Day Initiative (the judges for the event).

A blog post from Zero Day Initiative describes all 21 attacks, including six successful attacks against Windows, three successful attacks against Teams — and four against Ubuntu Desktop.

Bloatware = vulns in spades

[arglebargle_xiv]

While Teams isn't technically a part of Windows, it does come bundled with all new installs of Windows 11,

Of course it is, because my mom needs to have fscking Microsoft Teams on her tablet when she's looking up cookie recipes.

Teams isn't a utility.

[waspleg]

It's more corporate spyware - Brought to you by VIVA INSIGHTS!!

Details aren't made public yet, but maybe a leak?

[shoor]

I appreciate the utility of a contest to find exploits. And not publishing them is necessary to keep the floodgates from being opened. But I wonder if they can really keep such a tight lid on them that there isn't some leakage.

Re:

[MoreDruid]

Just put in the NDA that you lose the bounty if it's leaked.

wrong idiom

[catmistake]

They're not the biggest targets; they're low hanging fruit.

Pwn2Own Windows 11 ?

[Bu11etmagnet]

Sounds like a booby prize to me.

Describes?

[drinkypoo]

A blog post from Zero Day Initiative describes all 21 attacks

It doesn't even say if they're local or remote. Looks like they seem to be all local vulns... at least the OS attacks if not the browser ones.

Teams doens't need pwnd

[quonset]

Considering the craptastic interface the overpaid programmers at Microsoft created, Teams does well enough losing information without outside help. Trying to open and read a Word document someone posts results in Teams opening the file, not Word, and trying to move through the document is like crawling though jello.

The overpaid hacks can't even get word usage correct. Attach a file to a conversation and you get a message you're "sharing" the file. I'm not sharing anything. I'm giving it over to the person or group. I'm not getting the file back.

The same with figuring out how to save a file. You're told you're "downloading" the file. That might be what is physically happening, but the reality is you're saving the file. That word usage has been in existence since DOS. No need to confuse people.

If you're looking at a file within a directory in Teams and hit the back arrow, you don't go back one level to the directory itself. Nope, you go all the way out to the entire group and have to start all over again.

Teams is the only piece of software that I'm aware of in which you can't choose where to save a file. There is one and only location dictated by Microsoft.

Teams is what happens when you let programmers design software. It has no coherency, no logic, and only works under certain situations.

Re:

[Vlijmen Fileer]

"Teams is what happens when you let programmers design software."

This!
It is also what has given us tagging over than using folder structure, the dark UI fad, and client-side decorations. Because developers are generally not very smart, and by the nature of their work are focussed on only their little app rather than complete UX and UI for a user and their device plus applications.

Re:Teams doens't need pwnd

[Voyager529]

Teams is what happens when you let programmers design software. It has no coherency, no logic, and only works under certain situations.

I'd submit that it's just the opposite. Teams is what happens when the higher-ups try to make one piece of software that does everything. Instead of separate functionality and modular design, Teams is supposed to be a replacement for Slack, Zoom, Teamviewer, Google Drive, Facebook, and probably 3-4 more other things. It's the epitome of everything wrong with 'agile software', where the goal is to add more features as quickly as it compiles, with nobody stopping for optimization or limiting scope creep, let alone addressing security vulnerabilities prior to deployment.

I'm not saying that software designed exclusively by programmers with no managerial oversight wouldn't have problems, but I am saying that those problems would look very different. It might be 'too configurable', it might be 'too modular', old-guard programmers would probably have a dozen separate executables and optimize for local use and make keyboard shortcuts the primary interactivity method, while new-blood programmers might ignore any and all visual cues and implement swipe gestures on desktop software.

There's no one right way to make a UI...but there sure are plenty of wrong ways to do it.

Re:

[Pentium100]

Attach a file to a conversation and you get a message you're "sharing" the file. I'm not sharing anything. I'm giving it over to the person or group. I'm not getting the file back

Well, you can always ask the other person to copy the file and give the original back.

And yes, you are "sharing" the file, since the original stays with you. Just like you would "share" a movie using ... file sharing software.

and Apple and Tesla..

[gitano_dbs]

conveniently get out of the headline :P

yes the Apple browser was "owned" and the infotainment of a Tesla was also "owned"

I assume they meant Gnome desktop

[OFnow]

When the article mentions Ubuntu it seems they mean the Gnome standard desktop. I see no reason to assume the same bugs are in xfce4 or other desktops on Ubuntu.

Don't the Ubuntu folks run CoverityScan?

Re:

[Catvid-22]

I'm curious about the "Ubuntu" bugs as well. Are they exclusive to Ubuntu (bad) or to Gnome (worse), or are they system-level exploits that would affect all GNU/Linux distributions (worst)?

Chrome

[backslashdot]

Chrome was not exploited? That is impressive.