The Pwn2Own Vancouver 2024 contest, which sees contributors rewarded with money prizes and no matter gadgets they efficiently exploit, has drawn to an in depth with greater than one million {dollars} handed out for the invention of vulnerabilities in internet browsers, Microsoft Home windows 11, Canonical’s Ubuntu Linux, and a Tesla Mannequin 3.

The Zero Day Initiative’s Pwn2Own contest is an uncommon twist on capture-the-flag: contributors promise to use safety vulnerabilities in well-liked software program and {hardware} merchandise stay on-stage in timed challenges. If a group’s exploitation is profitable, its members win money alongside the bodily merchandise they attacked — from laptops and smartphones all the way in which as much as vehicles.

The 2-day Pwn2Own Vancouver 2024 got here to an in depth this week, with a spread of vulnerabilities demonstrated. All widespread internet browsers — Mozilla Firefox, Apple Safari, Google Chrome, and Microsoft Edge — fell to assault, as did Microsoft’s Home windows 11 and Canonical’s Ubuntu Linux working methods. Adobe’s PDF-viewing Reader utility proved susceptible, as did VMware Workstation and Oracle VirtualBox.

This newest Pwn2Own contest comes on the heels of a devoted automotive contest, introduced again in September final 12 months and that passed off in January with over $1 million in prizes handed out for hacks, which included takeovers of in-car leisure methods, electrical charging factors, and the modem inside Tesla vehicles — with group Synacktiv strolling away with the automotive for his or her efforts.

Synacktiv was again once more for this newest competitors, too, and as soon as once more demonstrated a flaw in Tesla automobile safety — utilizing an integer overflow vulnerability to use the Tesla Engine Management Unit (ECU)’s CAN bus subsystem, successful the group a powerful $200,000 and their second Tesla Mannequin 3.

In whole, the competition noticed 29 distinctive zero-day vulnerabilities — and a handful of previously-known vulnerabilities — leading to prize payouts totalling $1,132,500. The general winner, dubbed the Grasp of Pwn, was Manfred Paul, for his demonstration of a distant code execution (RCE) vulnerability in Apple’s Safari browser, improper validation of inputs in Google Chrome and Microsoft Edge, and a two-prong RCE and sandbox escape vulnerability in Mozilla Firefox.

The complete outcomes can be found on the Zero Day Initiative weblog; technical particulars of all vulnerabilities are usually not publicly disclosed, as per the competitors’s guidelines.

Most important article picture courtesy of Seunghyun Lee/Zero Day Initiative.