‘It’s been an exhausting but exhilarating week’ – ZDI toasts biggest Pwn2Own to date

Browser bugs aplenty during three-day hackathon in Vancouver

Trend Micro’s Zero Day Initiative (ZDI) is celebrating another successful Pwn2Own, after security researchers scooped a total of $545,000 during the three-day hackathon in Vancouver, Canada, last week.

This year’s Pwn2Own, which took place once again during the CanSecWest security conference, saw the disclosure of 19 bugs in Apple Safari, Microsoft Edge and Windows, VMware Workstation, Mozilla Firefox, and – in its inaugural year – the Tesla infotainment system.

Fresh from their win at Pwn2Own Tokyo in November, Team Fluoroacetate – Richard Zhu and Amat Cama – once again dominated the event this year, earning a total of $375,000 across the contest and being crowned ‘Masters of Pwn 2019’.

Among their achievements during the hackathon, the Fluoroacetate team combined a just-in-time (JIT) bug with a heap overflow to escape the Safari sandbox, and successfully targeted Edge and Firefox with separate kernel escalation exploits.

Zhu and Cama also escaped Oracle’s VirtualBox VM to achieve remote code execution on the underlying OS, and – with a great deal of fanfare – demonstrated how a JIT bug in the Model 3 Tesla browser renderer could be exploited to display their own message on the infotainment system.

For their efforts, Fluoroacetate picked up $375,000 in rewards. And what’s more, they got to keep the Tesla.

Stepping up to the plate

Speaking during a webinar hosted by the Ethical Hacker Network last week, Mechele Gruhn, principal security program manager for the Microsoft Security Response Center, said she was watching the event closely.

“We love competitions like Pwn2Own,” Gruhn said. “We absolutely love it when teams go up against our products and find vulnerabilities… so that we can fix them. We want to work, and continue to work, to make our software the most secure software that we can.”

As always, vendors have received the details of the bugs and now have 90 days to produce security patches to address the issues that were reported.

Wrapping up the spring event, Dustin Childs, ZDI communications manager, told The Daily Swig: “It’s been a great contest that has exceeded expectations.”

“We knew we were setting the bar pretty high with all of our categories – especially automotive – and the researchers responded. It’s been an exhausting but exhilarating week.”