Latest news with #Pwn2Own
Forbes
19-05-2025
- Forbes
Hackers Make $1 Million In Weekend Zero-Day Frenzy
PWN2OWN hackers make $1 million selling zero-day exploits. As the three-day hacking frenzy that is Pwn2Own Berlin comes to an end, the staggering extent of the skill displayed by the hackers taking part has been confirmed. With a total of no less than 28 completely new and unique zero-day exploits being demonstrated, and an equally impressive $1,078,750 being handed over in exchange for the vulnerabilities leading to them, the world of technology just got a little bit safer. Here's what you need to know. I'm a hacker, that's a pretty well-known thing, but I'm not in the same league as the elite hackers who compete at Pwn2Own every year. By the way, none of us is a criminal, as hacking is not a crime. Criminal hacking is, but finding security vulnerabilities in hardware and software, platforms and services, most certainly is not. Most hackers are not in the public eye either, staying out of the headlines and just doing their bit to make the world a more secure place to live and work in. Which doesn't mean that a little bit of recognition, if not notoriety, isn't appreciated every now and then. Rather than public recognition, however, it's being appreciated by your peers that drives many of the hackers who have taken part in the Pwn2Own competitions that first started way back in 2007. That, and the money that can be made, of course. You might think that with more than a million bucks handed out at Pwn2Own Berlin, this was the primary objective. But, no, you'd be wrong: getting to the top of the Masters of Pwn leaderboard and proving themselves to be the best of the best beats cold cash any day of the week. Pwn2Own is held twice a year, with different products and services being targeted at each event. What ties the events together is that all of the targets, be it a Tesla car system or Windows 11, have been put forward by the vendor concerned in order for it to be exposed to the best of the best as far as hackers are concerned. The idea is that individuals can discover security vulnerabilities that would otherwise remain hidden until malicious actors uncover them, and demonstrate how those vulnerabilities can be exploited. The vendors are given 90 days to fix any successful zero-days that are uncovered, before the technical details are made public. From the hackers' perspective, things are spiced up a little by their zero-day exploit attempts being strictly against the clock as well as against each other. FEATURED | Frase ByForbes™ Unscramble The Anagram To Reveal The Phrase Pinpoint By Linkedin Guess The Category Queens By Linkedin Crown Each Region Crossclimb By Linkedin Unlock A Trivia Ladder This year, between May 15 and 17, the Pwn2Own hackers were able to find no less than six zero-days in Windows 11, as well as three VMware zero-days, and two impacting Mozilla Firefox. In all, no less than 28 zero-day exploits were demonstrated, and Trend Micro ZDI handed over $1,078,750 to the successful hackers in return for the vulnerability details.
Forbes
19-05-2025
- Forbes
New Firefox Warning—Emergency Update Fixes Two Exploited Flaws
Emergency security updates are coming thick and fast, with Apple recently fixing two flaws being used in attacks and Google issuing critical patches for its Chrome browser. Now, popular Chrome alternative, Mozilla's Firefox has issued an emergency fix for two security vulnerabilities already used in real-life attacks. Firefox's owner Mozilla doesn't provide much detail about what's patched in its recent updates, for Firefox 138.0.4 Firefox Extended Support Release (ESR) 128.10.1 and Firefox ESR 115.23.1. But the two Firefox flaws were demonstrated in real life at the hacker conference Pwn2Own in Berlin. The Pwn2Own security competition has so far seen a number of impressive hacks including a successful compromise of Windows 11 — which was hacked three times in one day — and a VMware zero-day exploit, covered by my colleague Davey Winder. The first Firefox issue is a critical out-of-bounds access flaw in Firefox's JavaScript engine tracked as CVE-2025-4918 reported by Edouard Bochin and Tao Yan from Palo Alto Networks working with Trend Micro's Zero Day Initiative. 'An attacker was able to perform an out-of-bounds read or write on a JavaScript Promise object,' Mozilla wrote in an advisory. Tracked as CVE-2025-4919, the second Firefox vulnerability involves out-of-bounds access when optimizing linear sums. Also marked as having a critical impact, its discovery is credited to Manfred Paul working with Trend Micro's Zero Day Initiative. 'An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes,' Firefox said. The two Firefox issues are certainly serious, with each of the researchers awarded $50,000 at the Pwn2Own hackathon for their discovery. Both issues require little to no user interaction, with attackers able to execute code by tricking people into visiting malicious websites, so it makes sense to update as soon as you can. This is especially important given that the information is already out there, meaning that the flaws could easily be exploited in additional attacks. The update can be found via 'Help' on the Firefox Menu then selecting 'About Firefox.' If you are using an Apple Mac device select 'About Firefox' from the Firefox menu. So what are you waiting for? Update Firefox now to keep your browser safe.
Forbes
17-05-2025
- Forbes
Windows 11 Hacked — Three New Pwn2Own Zero-Days Deployed
Windows 11 hacked three times on day one of PWN2OWN. Update, May 17, 2025: This story, originally published May 16, has been updated with news of another successful Windows 11 hack at the Pwn2Own hacking event in Berlin. I've said it before, and I'll say it again: hacking is not a crime. I'd have been in prison a long time ago were that true. I'm not a fan of the term ethical hackers, but it will have to do to describe the security researchers and hacking elite who have gathered in Berlin for day one of the Pwn2Own hackathon. Rather than use their undoubted hacking skills for malicious purposes, like the most prolific cybercriminal groups do, these hackers have been deploying zero-days for the good of us all, including three aimed at Windows 11 that managed to elevate privileges to system level that could enable complete system takeover. Such skills do not go unvalued, and the hackers concerned were rewarded $75,000 for their efforts. Here's what you need to know about the Windows 11 hack trilogy. If you are a regular reader of my articles, then you will know that I have covered the Pwn2Own events for many years. Most recently, detailing how Tesla fell to hackers four times in one day, and five zero-day vulnerabilities were employed to compromise the Samsung Galaxy 24 smartphone. You would also know that Tesla and Samsung submitted their products to the hackathon event, wanting to see if the elite of the hacking world could find vulnerabilities that they had not, so they could be fixed before malicious actors stumbled across them. Pwn2Own, the brainchild of the Trend Micro Zero Day Initiative, dates back to 2007 and attracts some of the best hacking minds on the planet to the twice-yearly events. Pitched against the clock to 'pwn' products, hacker and gamer slang for owning something or someone by gaining control, the zero-day hacker heroes can earn a share of more than a million dollars in prize funds. Day one of Pwn2Own Berlin 2025, held on May 15, saw no less than three successful hacking attempts targeting Windows 11 and escalating privileges to system level: Update: The first results for day three of Pwn2Own are in, and it's Windows 11 that's the victim once again. A hacker called Angelboy from the DEVCORE Research Team achieved another privilege escalation attack against Microsoft's premier operating system. However, this was not deemed a full success in terms of the competition, but rather a collision. This is because one of the vulnerabilities that were used in the exploit chain was already known to Microsoft, and so not a true zero-day. And it's not just Microsoft products that are falling into the hands of these elite hackers. Broadcom's VMware ESXi has been compromised by a zero-day exploit as well. This is Pwn2Own history in the making, as the hypervisor has never been compromised by hackers before during the event's 18 years of activity. The hacker behind the achievement, Nguyen Hoang Thach, who is part of the STARLabs SG team, was able to deploy a single integer overflow exploit. This earned them a not-too-shabby reward of $150,000 on the spot, as well as 15 valuable points towards the coveted Master of PWN title. I have reached out to Microsoft for a statement regarding the Windows 11 hack successes at Pwn2Own, as well as Broadcom, concerning the $150,000 VMware ESXi zero-day.
Forbes
17-05-2025
- Forbes
VMware Hacked As $150,000 Zero-Day Exploit Dropped
Pwn2Own hackers use $150,000 exploit on VMware ESXi. The elite hackers attending Pwn2Own in Berlin have made hacking history by successfully deploying a zero-day exploit against VMware ESXi. Having already made the headlines with no less than three zero-days compromising Windows 11 on day one of the hacking competition, day two kept the security surprises well and truly coming. Here's what you need to know. Organizations have had a lot to digest regarding enterprise technology security issues over the last few weeks. What with the U.S. Cybersecurity and Infrastructure Security Agency urging them to ensure they are protected against a high-severity Chrome vulnerability already being exploited in the wild, HTTPBot attackers targeting business Windows networks, and Microsoft confirming a critical 10/10 cloud security vulnerability. You might think that the news of VMware ESXi being hacked using a $150,000 zero-day exploit is the icing on the security nightmare cake, but you couldn't be more wrong. Context is everything, and the context here is the environment in which that zero-day was dropped. Pwn2Own is a twice-yearly hackathon where some of the world's leading hackers come together in friendly competition to see who can hack products and services, within strict time limits, using never-before-seen zero-day exploits, and earn the title Master of PWN. The good news is that this is all above board and legal. Remember that hacking is not a crime, folks, and the products and services being hacked have been submitted by the vendors for the purposes of discovering vulnerabilities before cybercriminals do. In the case of the VMware ESXi zero-day exploit, this was the first time in Pwn2Own's history, stretching back to 2007, that the hypervisor has been successfully exploited. The hacker behind the achievement, Nguyen Hoang Thach, who is part of the STARLabs SG team, was able to deploy a single integer overflow exploit. This earned them a not-too-shabby reward of $150,000 on the spot, as well as 15 valuable points towards the coveted Master of PWN title. I have reached out to Broadcom for a statement regarding the VMware ESXi zero-day at Pwn2Own, and will update this article should one be available.
Forbes
16-05-2025
- Forbes
Windows 11 Hacked — Three New Zero-Days Deployed By Pwn2Own Elite
Windows 11 hacked three times on day one of PWN2OWN. I've said it before, and I'll say it again: hacking is not a crime. I'd have been in prison a long time ago were that true. I'm not a fan of the term ethical hackers, but it will have to do to describe the security researchers and hacking elite who have gathered in Berlin for day one of the Pwn2Own hackathon. Rather than use their undoubted hacking skills for malicious purposes, like the most prolific cybercriminal groups do, these hackers have been deploying zero-days for the good of us all, including three aimed at Windows 11 that managed to elevate privileges to system level that could enable complete system takeover. Such skills do not go unvalued, and the hackers concerned were rewarded $75,000 for their efforts. Here's what you need to know about the Windows 11 hack trilogy. If you are a regular reader of my articles, then you will know that I have covered the Pwn2Own events for many years. Most recently, detailing how Tesla fell to hackers four times in one day, and five zero-day vulnerabilities were employed to compromise the Samsung Galaxy 24 smartphone. You would also know that Tesla and Samsung submitted their products to the hackathon event, wanting to see if the elite of the hacking world could find vulnerabilities that they had not, so they could be fixed before malicious actors stumbled across them. Pwn2Own, the brainchild of the Trend Micro Zero Day Initiative, dates back to 2007 and attracts some of the best hacking minds on the planet to the twice-yearly events. Pitched against the clock to 'pwn' products, hacker and gamer slang for owning something or someone by gaining control, the zero-day hacker heroes can earn a share of more than a million dollars in prize funds. Day one of Pwn2Own Berlin 2025, held on May 15, saw no less than three successful hacking attempts targeting Windows 11 and escalating privileges to system level: I have reached out to Microsoft for a statement regarding the Windows 11 hack successes at Pwn2Own.
