There is no 100% secure software. All programs, in one way or another, can endanger the security of our computer and our data. And the more complex the programs, the more likely and easier it is to find these bugs. Therefore, both researchers and developers are constantly working on finding and fixing all new bugs that may pose a danger to users. And so important is this work that there are even contests to find and exploit bugs, such as Pwn2Own.
Security flaws in software can be discovered in three different ways. On the one hand, each company (such as Microsoft or Google) has its own researchers who analyze their products for security flaws. On the other hand, there are companies that are dedicated to investigating these failures and collecting the rewards that companies offer in exchange for the information to continue strengthening the security of their products. And thirdly, there are hackers , who are constantly looking for new weaknesses in all kinds of programs for their own use or to sell to other hackers on the black market.
Although for a long time the sale of vulnerabilities to other hackers has been predominant, thanks to the Bug Bounty rewards programs this has been reduced, and there are many users who prefer to officially report a bug and earn legal money with it before moving in the black market. In addition, competitions like this Pwn2Own allow groups of hackers to battle each other in search of vulnerabilities in all types of programs, and earn good money for each detected flaw.
Pwn2Own 2021: Windows 10, Exchange and Microsoft Teams are the first to fall
Yesterday the new Pwn2Own 2021 competition started . And on its first day, serious security flaws have been exploited on three Microsoft platforms.
On the one hand, a group of hackers ( Viettel ) has obtained a reward of 40,000 dollars for discovering a zero-day security flaw in Windows 10 . This flaw could be used for any system user to get a SYSTEM privilege level in the operating system.
On the other hand, another team ( Devcore ) has raised the sum of $ 200,000 for finding a way to combine two failures of Exchange , the mail server. These two flaws were of the authentication bypass and privilege escalation types, and together they could allow other users to execute remote code on a server.
And third, an individual security researcher has made $ 200,000 by combining two Microsoft Teams security flaws and getting code to run through the company’s enterprise messaging platform .
In total, $ 440,000 has been distributed on the first day of Pwn2Own 2021. These bugs, of course, have already been reported to Microsoft, who has 90 days to fix them before technical information about them is made public.
On this first day, bugs have also been exploited in macOS (access to the Kernel through Safari) and in Ubuntu.
e will see new vulnerabilities in the coming days
Today will take place the second day of this competition. And according to the researchers’ plans, the main targets will be Google Chrome , Microsoft Edge (Chromium) and Zoom Messenger. Also, other hacker groups will try to find and exploit other flaws in Windows 10, Exchange, and MS Teams.
As in the previous case, only the existence of the fault will be demonstrated, and these will be reported to the developers. For security reasons, no information about the failures will be known for up to 90 days, to prevent them from being exploited en masse on the network.