Latest news with #ZeroDayInitiative
Forbes
19-05-2025
- Forbes
New Firefox Warning—Emergency Update Fixes Two Exploited Flaws
Emergency security updates are coming thick and fast, with Apple recently fixing two flaws being used in attacks and Google issuing critical patches for its Chrome browser. Now, popular Chrome alternative, Mozilla's Firefox has issued an emergency fix for two security vulnerabilities already used in real-life attacks. Firefox's owner Mozilla doesn't provide much detail about what's patched in its recent updates, for Firefox 138.0.4 Firefox Extended Support Release (ESR) 128.10.1 and Firefox ESR 115.23.1. But the two Firefox flaws were demonstrated in real life at the hacker conference Pwn2Own in Berlin. The Pwn2Own security competition has so far seen a number of impressive hacks including a successful compromise of Windows 11 — which was hacked three times in one day — and a VMware zero-day exploit, covered by my colleague Davey Winder. The first Firefox issue is a critical out-of-bounds access flaw in Firefox's JavaScript engine tracked as CVE-2025-4918 reported by Edouard Bochin and Tao Yan from Palo Alto Networks working with Trend Micro's Zero Day Initiative. 'An attacker was able to perform an out-of-bounds read or write on a JavaScript Promise object,' Mozilla wrote in an advisory. Tracked as CVE-2025-4919, the second Firefox vulnerability involves out-of-bounds access when optimizing linear sums. Also marked as having a critical impact, its discovery is credited to Manfred Paul working with Trend Micro's Zero Day Initiative. 'An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes,' Firefox said. The two Firefox issues are certainly serious, with each of the researchers awarded $50,000 at the Pwn2Own hackathon for their discovery. Both issues require little to no user interaction, with attackers able to execute code by tricking people into visiting malicious websites, so it makes sense to update as soon as you can. This is especially important given that the information is already out there, meaning that the flaws could easily be exploited in additional attacks. The update can be found via 'Help' on the Firefox Menu then selecting 'About Firefox.' If you are using an Apple Mac device select 'About Firefox' from the Firefox menu. So what are you waiting for? Update Firefox now to keep your browser safe.
Forbes
16-05-2025
- Forbes
Windows 11 Hacked — Three New Zero-Days Deployed By Pwn2Own Elite
Windows 11 hacked three times on day one of PWN2OWN. I've said it before, and I'll say it again: hacking is not a crime. I'd have been in prison a long time ago were that true. I'm not a fan of the term ethical hackers, but it will have to do to describe the security researchers and hacking elite who have gathered in Berlin for day one of the Pwn2Own hackathon. Rather than use their undoubted hacking skills for malicious purposes, like the most prolific cybercriminal groups do, these hackers have been deploying zero-days for the good of us all, including three aimed at Windows 11 that managed to elevate privileges to system level that could enable complete system takeover. Such skills do not go unvalued, and the hackers concerned were rewarded $75,000 for their efforts. Here's what you need to know about the Windows 11 hack trilogy. If you are a regular reader of my articles, then you will know that I have covered the Pwn2Own events for many years. Most recently, detailing how Tesla fell to hackers four times in one day, and five zero-day vulnerabilities were employed to compromise the Samsung Galaxy 24 smartphone. You would also know that Tesla and Samsung submitted their products to the hackathon event, wanting to see if the elite of the hacking world could find vulnerabilities that they had not, so they could be fixed before malicious actors stumbled across them. Pwn2Own, the brainchild of the Trend Micro Zero Day Initiative, dates back to 2007 and attracts some of the best hacking minds on the planet to the twice-yearly events. Pitched against the clock to 'pwn' products, hacker and gamer slang for owning something or someone by gaining control, the zero-day hacker heroes can earn a share of more than a million dollars in prize funds. Day one of Pwn2Own Berlin 2025, held on May 15, saw no less than three successful hacking attempts targeting Windows 11 and escalating privileges to system level: I have reached out to Microsoft for a statement regarding the Windows 11 hack successes at Pwn2Own.
The Star
02-05-2025
- The Star
Hacking tourneys fuel China's cyber ambitions
DUSTIN CHILDS can still describe the best demonstration of a winning hack at an international tournament he's ever seen. It happened almost a decade ago. The participants had to find a way to break into a Windows workstation that was hardened with firewalls and up-to-date software to make it more secure. One member of a team from China typed an Internet Protocol address into the Windows browser, he said, 'and took their hands off the keyboard and that was it'. The address triggered computer code that turned the Chinese team's access from 'guest' to 'host,' giving them administrator rights and the ability to install whatever code or software – or malware – they wanted. That was in 2017 at Pwn2Own, a hacking competition that drew entrants from around the world – analysts and researchers from cybersecurity firms, primarily – to find new ways to exploit popular software and mobile devices. By then, teams from China had been competing for years, and dominating. They came from universities, companies and elsewhere, said Childs, the head of threat awareness at the cybersecurity firm Trend Micro Inc. The top title at the tournament was called 'Master of Pwn', said Childs, who has been affiliated with the tournament since 2009 and is part of the Zero Day Initiative that runs it. 'We implemented that title in 2016. The Chinese companies won it at every competition until they stopped participating,' he said. That international acclaim also drew the attention of critical eyes back home. In 2017, the billionaire founder of Chinese cybersecurity firm Qihoo 360, Zhou Hongyi, publicly criticised Chinese participation in overseas hackathons, arguing that vulnerabilities discovered by Chinese experts should remain within that country's borders. The criticism from Zhou, a member of a political advisory board to the Communist Party government, did not go unnoticed. The following year, there were no Chinese teams competing at Pwn2Own. Instead, China started its own hacking tournament, called the Tianfu Cup. Participants were encouraged to hack into Apple operating systems, Google phones and Microsoft networks, according to media reports. But there was a difference. At Pwn2Own and other hacking competitions, the findings are reported to the companies that make the software or devices so they can fix them before hackers take advantage. Participants in Chinese hacking competitions are required to report them to the government first, according to a 2018 regulation. 'In practice, this meant vulnerabilities were passed to the state for use in operations,' said Dakota Cary, a China-focused consultant at the United States cybersecurity company SentinelOne. One example, cybersecurity experts said, occurred in 2019, when Google reported that a flaw uncovered at the inaugural Tianfu Cup bore striking similarities with a hacking campaign targeting China's persecuted Uyghur ethnic communities. Political connections More recently, files attributed to a Chinese cybersecurity firm called i-Soon were posted on the code-sharing site GitHub, a purported data leak that suggested the contests, the government, and the cyber firms that were given access to those vulnerabilities were all connected. Among the chat records was a discussion between i-Soon employees noting a request to China's Public Security Ministry, the country's main police agency, for zero-day vulnerabilities discovered at Tianfu Cup. The documents indicated that the Tianfu Cup was a 'likely vulnerability feeder system' for the ministry, said Winnona DeSombre Bernsen, a fellow at the Atlantic Council's Digital Forensics Research Lab, who studied the logs. In March, several employees of i-Soon were charged by US authorities for carrying out cyberattacks at the direction of Chinese intelligence agencies. China rejects the allegations. I-Soon has not responded to the charges and did not respond to requests for comment. Asked about vulnerability disclosures, a spokesperson for China's Ministry of Foreign Affairs said the reporting regulations 'aim to prevent the leakage and unauthorised disclosure of vulnerable information'. The regulations 'explicitly support the direct provision of security vulnerability information to network product providers, including foreign organisations and individuals', the spokesperson told Bloomberg reporters in Beijing. Representatives for the Tianfu Cup could not be located for comment. Flaws in computer software and mobile devices are relatively common, prompting periodic patches to the software and updates to the devices to fix them. For criminal hackers and cyber spies, flaws that aren't previously known to the developers – known as zero days – are particularly valuable because no fix is immediately available, leaving systems exposed. Security flaws Some companies specialise in finding zero days and selling them to government intelligence agencies. Pwn2Own was created in 2007 to investigate potential security flaws in Apple's Mac OS X operating system. Since then, winners have been paid cash prizes for finding vulnerabilities, which are then shared with the software company or device maker to fix. All the participants, including those from China, adhered to those rules. But the first year they were gone from Pwn2Own, in 2018, Beijing stated that vulnerabilities discovered at Chinese hacking competitions must be reported to the government, said Sentinel One's Cary. Three years later, data security laws that went into effect required that vulnerabilities discovered by Chinese researchers – whether they were found in contests or in the course of their work – went straight to the Chinese Industry and Information Technology Ministry. The laws also restrict companies from sharing vulnerability information with anyone before the Chinese government has had a chance to address them – with a 48-hour reporting deadline. There are stiff financial penalties and potential legal action for anyone who doesn't comply. China's policy of requiring researchers to disclose computer bugs they find to the government distinguishes it from the United States and other Western countries, experts said. 'The National Security Agency (NSA) doesn't force us to disclose anything along those lines to them,' said Childs, referring to the US NSA. While it doesn't force vulnerability disclosure, the NSA, the leading cryptology and signals intelligence organisation in the United States government, does its fair share of vulnerability hoarding, said Greg Austin, who has consulted with governments on China's cyber and foreign policy for more than a decade. In one incident in 2016, a group called the Shadow Brokers released a cache of secret software exploits – essentially hacking tools – that were allegedly stolen from the NSA. 'We're talking about agencies like the Central Intelligence Agency and the NSA who have discovered vulnerabilities that they don't want to reveal so that they can attack systems in other countries,' he said. 'China's the same.' Since the data laws have come into effect, China's hacking breakthroughs have slipped further behind a wall of secrecy, experts said. 'There is a veil on the front side so we can't see what they're working on and what they're working towards. 'We only see the results of it when it gets into the wild and actually gets demonstrated against a real live party,' Childs said. Chinese hacking competitions have also evolved in recent years. Along with challenging participants to break into a Tesla or security software, now the events include Chinese electric vehicles, phones and computers, said Eugenio Benincasa, a senior cyber defence researcher at the Centre for Security Studies at ETH Zurich, who closely monitors online reporting of these contests for clues about the challenges and what, if any, results are publicised. The increased focus on Chinese domestic products aligns with Beijing's broader policy objective known as 'Delete America,' aiming for self-sufficiency in advanced technologies and reducing reliance on foreign suppliers, Benincasa said. It also comes as the United States and China continue to restrict exports of key technology components to each other. 'It highlights the goal of fully domesticating China's information technology infrastructure, and replacing foreign-made core components, such as semiconductors, software, and databases, with Chinese-made ones,' Benincasa said. — Bloomberg Jamie Tarabay writes for Bloomberg. The views expressed here are the writer's own.
Japan Times
01-05-2025
- Business
- Japan Times
Chinese hacking competitions fuel the country's broad cyber ambitions
Dustin Childs can still describe the best demonstration of a winning hack at an international tournament he's ever seen. It happened almost a decade ago. The participants had to find a way to break into a Windows workstation that was hardened with firewalls and up-to-date software to make it more secure. One member of a team from China typed an IP address into the Windows browser, he said, "and took their hands off the keyboard, and that was it.' The address triggered computer code that turned the Chinese team's access from "guest' to "host,' giving them administrator rights and the ability to install whatever code or software — or malware — they wanted. That was in 2017 at Pwn2Own, a hacking competition that drew entrants from around the world — analysts and researchers from cybersecurity firms, primarily — to find new ways to exploit popular software and mobile devices. By then, teams from China had been competing for years, and dominating. They came from universities, companies and elsewhere, said Childs, the head of threat awareness at the cybersecurity firm Trend Micro. The top title at the tournament was called "Master of Pwn,' said Childs, who has been affiliated with the tournament since 2009 and is part of the Zero Day Initiative that runs it. "We implemented that title in 2016. The Chinese companies won it at every competition until they stopped participating,' he said. That international acclaim also drew the attention of critical eyes back home. In 2017, the billionaire founder of Chinese cybersecurity firm Qihoo 360, Zhou Hongyi, publicly criticized Chinese participation in overseas hackathons, arguing that vulnerabilities discovered by Chinese experts should remain within that country's borders. The criticism from Zhou, a member of a political advisory board to the Communist Party government, didn't go unnoticed. The following year, there were no Chinese teams competing at Pwn2Own. Instead, China started its own hacking tournament, called the Tianfu Cup. Participants were encouraged to hack into Apple operating systems, Google phones and Microsoft networks, according to media reports. But there was a difference. At Pwn2Own and other hacking competitions, the findings are reported to the companies that make the software or devices so they can fix them before hackers take advantage. A man takes part in a hacking contest in Las Vegas, Nevada, on July 29, 2017. | REUTERS Participants in Chinese hacking competitions are required to report them to the government first, according to a 2018 regulation. "In practice, this meant vulnerabilities were passed to the state for use in operations,' said Dakota Cary, a China-focused consultant at the U.S. cybersecurity company SentinelOne. One example, cybersecurity experts said, occurred in 2019, when Google reported that a flaw uncovered at the inaugural Tianfu Cup bore striking similarities with a hacking campaign targeting China's persecuted Uyghur ethnic communities. More recently, files attributed to a Chinese cybersecurity firm called i-Soon were posted on the code-sharing site GitHub, a purported data leak that suggested the contests, the government, and the cyber firms that were given access to those vulnerabilities were all connected. Among the chat records was a discussion between i-Soon employees noting a request to China's Ministry of Public Security, the country's main police agency, for zero-day vulnerabilities discovered at Tianfu Cup. The documents indicated that the Tianfu Cup was a "likely vulnerability feeder system' for the ministry, said Winnona DeSombre Bernsen, a fellow at the Atlantic Council's Digital Forensics Research Lab, who studied the logs. In March, several employees of i-Soon were charged by U.S. authorities for carrying out cyberattacks at the direction of Chinese intelligence agencies. China rejects the allegations. I-Soon hasn't responded to the charges and didn't respond to requests for comment. Asked about vulnerability disclosures, a spokesperson for China's Ministry of Foreign Affairs said the reporting regulations "aim to prevent the leakage and unauthorized disclosure of vulnerable information.' The regulations "explicitly support the direct provision of security vulnerability information to network product providers, including foreign organizations and individuals,' the spokesperson said in Beijing. Representatives for the Tianfu Cup could not be located for comment. Flaws in computer software and mobile devices are relatively common, prompting periodic patches to the software and updates to the devices to fix them. For criminal hackers and cyber spies, flaws that aren't previously known to the developers — known as zero days — are particularly valuable because no fix is immediately available, leaving systems exposed. Some companies specialize in finding zero days and selling them to government intelligence agencies. Pwn2Own was created in 2007 to investigate potential security flaws in Apple's Mac OS X operating system. Since then, winners have been paid cash prizes for finding vulnerabilities, which are then shared with the software company or device maker to fix. All the participants, including those from China, adhered to those rules. But the first year they were gone from Pwn2Own, in 2018, Beijing stated that vulnerabilities discovered at Chinese hacking competitions must be reported to the government, said Sentinel One's Cary. Three years later, data security laws that went into effect required that vulnerabilities discovered by Chinese researchers — whether they were found in contests or in the course of their work — went straight to the Chinese Ministry of Industry and Information Technology. The laws also restrict companies from sharing vulnerability information with anyone before the Chinese government has had a chance to address them — with a 48-hour reporting deadline. There are stiff financial penalties and potential legal action for anyone who doesn't comply. The Chinese government paid i-Soon to hack and steal information in a manner that obscured its involvement, the U.S. alleges. | Bloomberg China's policy of requiring researchers to disclose computer bugs they find to the government distinguishes it from the U.S. and other Western countries, experts said. "The NSA doesn't force us to disclose anything along those lines to them,' said Childs, referring to the U.S. National Security Agency. While it doesn't force vulnerability disclosure, the NSA, the leading cryptology and signals intelligence organization in the U.S. government, does its fair share of vulnerability hoarding, said Greg Austin, who has consulted with governments on China's cyber and foreign policy for more than a decade. In one incident in 2016, a group called the Shadow Brokers released a cache of secret software exploits — essentially hacking tools — that were allegedly stolen from the NSA. "We're talking about agencies like the Central Intelligence Agency and the National Security Agency who have discovered vulnerabilities that they don't want to reveal so that they can attack systems in other countries,' he said. "China's the same.' Since the data laws have come into effect, China's hacking breakthroughs have slipped farther behind a wall of secrecy, experts said. "There is a veil on the front side, so we can't see what they're working on and what they're working towards. We only see the results of it when it gets into the wild and actually gets demonstrated against a real live party,' Childs said. Chinese hacking competitions have also evolved in recent years. Along with challenging participants to break into a Tesla or security software, now the events include Chinese electric vehicles, phones and computers, said Eugenio Benincasa, a senior cyber defense researcher at the Center for Security Studies at ETH Zurich, who closely monitors online reporting of these contests for clues about the challenges and what, if any, results are publicized. The increased focus on Chinese domestic products aligns with Beijing's broader policy objective known as "Delete America,' aiming for self-sufficiency in advanced technologies and reducing reliance on foreign suppliers, Benincasa said. It also comes as the U.S. and China continue to restrict exports of key technology components to each other. "It highlights the goal of fully domesticating China's IT infrastructure, and replacing foreign-made core components, such as semiconductors, software, and databases, with Chinese-made ones,' Benincasa said.
Yahoo
28-01-2025
- Automotive
- Yahoo
VicOne and Trend Micro Stage Pwn2Own Automotive Zero Day Vulnerability Event to Boost Industry Cybersecurity as SDV Trend Reshapes Threat
With automotive system complexity and attack surface both rapidly growing, VicOne set to release new report detailing sharp rise in vulnerabilities and industry recommendations DETROIT & TOKYO, January 28, 2025--(BUSINESS WIRE)--VicOne, an automotive cybersecurity solutions leader, today announced that it co-hosted with Trend Micro the world's largest zero-day vulnerability discovery contest, Pwn2Own Automotive 2025, at Automotive World, which took place Jan. 22-24 in Tokyo. Top-tier security researchers performed real-world testing on cutting-edge automotive technologies, all within Trend Micro's proven Zero Day Initiative (ZDI) platform, the world's largest vendor-agnostic bug bounty program. Pwn2Own Automotive is an annual competition designed to uncover and rectify vulnerabilities in technologies for connected cars. Automotive cybersecurity researchers from 13 countries came together on a global stage to discover 49 unique zero-day vulnerabilities across systems such as in-vehicle infotainment (IVI) systems and electric vehicle (EV) chargers. Sina Kheirkhah of Summoning Team was crowned the Pwn2Own Automotive 2025 Master of Pwn. "As SDVs (software-defined vehicles) reshape the automotive industry, cybersecurity becomes critical to ensuring their safety and reliability," said Max Cheng, chief executive officer of VicOne. "Platforms like Pwn2Own Automotive are instrumental to uncovering zero-day vulnerabilities and mitigating risks before they can escalate. By supporting initiatives like this, the industry can proactively strengthen vehicle security, paving the way for safer and more resilient advancements in mobility." The automotive industry is evolving with innovations such as SDVs, advanced driver-assistance systems (ADAS) and integration of artificial intelligence (AI). These developments promise enhanced functionality and efficiency but also introduce cybersecurity challenges, including risks from generative AI, supply-chain vulnerabilities and over-the-air (OTA) updates. According to the forthcoming VicOne 2025 annual report, the total count of automotive-related vulnerabilities ("CVEs") published in 2024 reached 530 vulnerabilities, another annual gain and just two short of twice as many as in 2019. The sharp rise in vulnerabilities highlights the rapid growth in both the automotive attack surface and automotive systems. Cyberattacks in 2024 caused damages exceeding $22 billion, with $20 billion attributed to data breaches and personal information leaks, the VicOne annual report will show. Key areas impacted in 2024 included the automobile industry's suppliers and dealers, who collectively account for the majority of targeted attacks. Other insights in the report, which is to be released publicly available at The automotive industry must adopt a security-first approach, integrating robust defenses, regulatory compliance and collaborative innovations to mitigate risks and secure the future of mobility. Supply-chain vulnerabilities will likely dominate cybersecurity events moving forward, with an increase in ransomware and OTA exploitations. Emerging threats include AI manipulation, cloud-based attacks and sensor data manipulation in autonomous systems. At Automotive World 2025, the world's leading event for advanced automotive technologies convening more than 1,800 companies, VicOne showcased a range of its innovative solutions built from the ground up to protect the connected-car ecosystem: xZETA, which offers robust capabilities for tackling software bill of materials (SBOM) and zero-day vulnerabilities Smart Cockpit Protection, which leverages AI-driven security to safeguard automotive smart cockpits from data breaches and AI-targeted attacks xCarbon, which leverages edge AI processing to analyzes vehicle data in real time, enabling early detection and prevention of cyberattacks on and malfunctions in in-vehicle electronic control units (ECUs) xNexus, the Vehicle Security Operations Center (VSOC) support platform Various security-related services, including risk analysis using the threat assessment and remediation analysis (TARA) process and Penetration Testing xScope, which uses advanced techniques to identify vulnerabilities, recommends specific improvements, and provides customized reports based on client needs The VicOne booth at Automotive World 2025 also featured the company's collaborative initiatives with its partner companies. VicOne's strategic partnerships include original equipment manufacturers (OEMs), hardware suppliers, semiconductor vendors, software developers and service providers. Founded and singularly focused on spearheading innovation in vehicle cybersecurity, VicOne, the market leader of automotive cybersecurity, provides the most advanced and comprehensive solutions to the automotive industry and galvanizes collective expertise from the sector's broadest cast of best-of-breed partners. OEMs and suppliers trust VicOne's purpose-built solutions to stay ahead of evolving threats and safeguard vehicles, drivers and sensitive data. For more information on VicOne's holistic approach to cybersecurity—spanning software, hardware and supply-chain ecosystems—please visit About VicOne With a vision to secure the vehicles of tomorrow, VicOne delivers a broad portfolio of cybersecurity software and services for the automotive industry. Purpose-built to address the rigorous needs of automotive manufacturers and suppliers, VicOne solutions are designed to secure and scale with the specialized demands of the modern vehicle. As a Trend Micro subsidiary, VicOne is powered by a solid foundation in cybersecurity drawn from Trend Micro's 30+ years in the industry, delivering unparalleled automotive protection and deep security insights that enable our customers to build secure as well as smart vehicles. For more information, visit About Zero Day Initiative (ZDI) The Zero Day Initiative (ZDI) was launched by Trend Micro in July 2005 to encourage the reporting of zero-day vulnerabilities privately to the affected vendors by financially rewarding researchers. Today, the ZDI represents the world's largest vendor-agnostic bug bounty program. For more information, visit About Trend Micro Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's AI-powered cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, Trend's platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 70 countries, Trend Micro enables organizations to simplify and secure their connected world. For more information, visit View source version on Contacts U.S. Media Contacts: Vivian Kelly Interprose for VicOne+1 703.509.5412viviankelly@ Jill Miley Interprose for VicOne+1
