Apple macOS, Microsoft Windows 11, Ubuntu Desktop Hacked During $1 Million Hacking Spree

What might happen if some of the world’s most proficient hackers targeted some of the biggest tech names at the same time? That’s what we are finding out as the Pwn2Own Vancouver 2023 hacking competition kicked off yesterday, and some tech titans fell to some serious zero-day security exploit action. Over the course of just this one day, 22 March, Apple macOS, Microsoft Windows 11, Microsoft SharePoint, Ubuntu Desktop, Tesla Gateway, Adobe Reader, and Oracle VirtualBox all fell at the hands of these elite hackers.

And that’s just for starters as Pwn2Own Vancouver 2023 doesn’t wrap up until 24 March. With more than $1 million up for grabs, $375,000 was awarded on day one; you can be sure that the remaining targets, including Microsoft Teams and VMWare Workstation, will be tested hard.

All of which is, actually, a really good thing.

What is the Pwn2Own hacking event?

Pwn2Own is a global hacking event organized by the Trend Micro Zero-Day Initiative (ZDI), which has been running since 2005. It sees some of the best hacking teams compete against pre-determined tech targets and each other, using previously unknown ‘zero-day’ exploits. These elite bounty-hunting hackers and security researchers have a strict time limit in which to successfully ‘pwn’ the targets in question. Success is rewarded both by points that are added to a Masters of Pwn leaderboard, and Pwn2Own kudos should not be underestimated as the competitive nature is strong here, as well as with impressive payments. In all, Pwn2Own Vancouver 2023 has a prize fund in excess of $1 million.

MORE FROM FORBESCheck Your Samsung Smartphone Now To See If You Are Safe From This New 0-Click AttackBy Davey Winder

Hacking is not a crime

How can this be a good thing, do I hear you ask? The answer is simple: every vulnerability exploited by these zero-day hackers is immediately turned over to the vendor in question in order for them to fix the issue. Patches are then released before any technical information of merit is disclosed to the public to ensure less ethical actors cannot maliciously exploit the vulnerabilities. None of the zero-days are either sold or redistributed by ZDI.

Who hacked what on day one of Pwn2Own Vancouver 2023?

The Synacktiv team was able to hack both the Apple macOS kernel, in an elevation of privileges attack, and the Tesla Gateway. Both employing a time-of-check to time-of-use (TOCTOU) attack during the exploits.

Winnings: $140,000 and a Tesla Model 3

Master of Pwn points: 14

The STAR Labs team executed a successful chained exploit against Microsoft SharePoint as well as another, although using a previously known vulnerability this time, against Ubuntu Desktop.

Winnings: $115,000

Master of Pwn points: 11.5

AbdulAziz Hariri from Haboob SA, hacked Adobe Reader using an impressive six-vulnerability chain exploit to escape the Adobe sandbox.

Winnings: $50,000

Master of Pwn points: 5

Bien Pham from Qrious Security was successful in executing an exploit against Oracle VirtualBox.

Winnings: $40,000

Master of Pwn points: 4

Marcin Wiazowski managed to execute an elevation of privileges attack against Windows 11 successfully.

Winnings: $30,000

Master of Pwn points: 3