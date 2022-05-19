On the first day of the Pwn2Own Vancouver 2022 event, participants successfully exploited 16 zero-day flaws to hack various products, including Microsoft’s Windows 11 operating system and the Teams communication platform. The organizers of the event distributed 800,000 dollars among those who managed to make these discoveries.

This year marks the 15th anniversary of the contest. This edition brings together 17 contestants who try blow up 21 targets in multiple categories. And one of the software firms with the most bugs discovered has been the Redmond giant. During the contest, security researchers have had to analyze web browsers, virtualization software, local escalation of privilegesservers, business communications and automobiles.

Once security vulnerabilities have been demonstrated and disclosed during Pwn2Own, software and hardware vendors they have 90 days to develop and release security fixes for all reported bugs.

The first to fall was Microsoft Teams in the category of business communications: it was possible exploit a misconfiguration flaw. Another participating team also discovered a 2-failure zero-click exploit chain (injection and arbitrary file writing).

On a third occasion, another participant exploited a chain of 3 injection, deconfiguration, and sandbox escape bugs within Teams.

They each won $150,000 for successfully demonstrating their zero-day or zzero-day bugs in Microsoft Teams.

Problems in other software programs

STAR Labs, a group that featured prominently at the event, won an additional $40,000 after elevating privileges on a system running Windows 11 using a Use-After-Free weakness and an additional $40,000 for achieving privilege escalation in Oracle Virtualbox.

Another participant successfully demonstrated two bugs (prototype contamination and improper input validation) to hack Mozilla Firefox and an out-of-band write to Apple Safari. Ubuntu Desktop, the Tesla Model 3 infotainment system (with Sandbox Escape), and Diagnostic Ethernet (with Root Persistence) were other programs with zero-day exploits.

