Find Stupid Bugs, Win Serous Cash
Pwn2Own has kicked off in Berlin and a disturbing number of zero days have been on display on the first day. They range from Windows 11 to Red Hat to Oracle’s Virtualbox and may soon be coming to a computer near you unless the vulnerabilities can be patched quickly. There were three found for Microsoft’s OS, including an integer overflow, a type confusion and an out-of-bounds write vulnerability all of which granted SYSTEM privileges to an attacker. Red Hat failed in the local privilege escalation category thanks to another integer overflow vulnerability as well as chaining a use-after-free and information leak attack, part of which was already known but still vulnerable to exploitation. The day also included an integer overflow bug that allows an attacker to escape Oracle VirtualBox and execute code on the underlying operating system, which is definitely a bad thing!
There were a few other exploits discovered and bounties paid for the first day covered at Bleeping Computer. Day two will see Microsoft SharePoint, VMware ESXi, Mozilla and Firefox tested, along with more attempts at Red Hat Enterprise Linux for Workstations, and Oracle VirtualBox. Thankfully all of these exploits will be thoroughly documented and the victims given the details so they can patch them. Still, Pwn2Own is always stressful for the security minded.