1 min read

Bad Times Abound for Windows 11 at PWN2OWN Vancouver 2022...

Featured Image

Windows 11 has had a very, very bad week.

The newest operating system from Microsoft was trounced during Trend Micro's Zero Day Initiative (ZDI) first Pwn2Own event this year after hackers compromised it 6 times over the course of 72 hours. In total seven hackers walked away with a combined $240,000 for their Windows 11 zero-day exploits.

The exact details regarding the exploits aren't privy to the public (and for good reason) but we do have a summarized breakdown of the type of attack leverage and the reward money offered up.

They were as follows:

  1. Out-of-Bounds Escalation of Privilege exploit - $40,000 reward
  2. Elevation of Privilege Attack - $40,000 reward
  3. Improper Access Control Elevation of Privilege Attack - $40,000 reward
  4. Integer Overflow Exploit - $40,000 reward
  5. Improper Access Control Exploit - $40,000 reward
  6. Use-After-Free Vulnerability Elevation of Privilege Attack - $40,000

Windows 11 wasn't the only Microsoft product to get knocked around. Microsoft Teams, a popular enterprise messaging platform was slammed as well with an additional $450,000 worth of prize money going out to three hackers ($150,000 going to each hacker).

The type of attacks used against Microsoft Teams are a little less clear but they include things like code injection, misconfigurations, and zero-click remote code execution exploits (among other things).

Microsoft has been touting the OS as being one of the most secure offerings ever released out of Redmond, WA. That may be true in certain regards, but if the hackers at Pwn2Own 2022 have anything to say about the matter there are plenty of holes left to be filled.

Or not filled rather. Considering Microsoft has just entered the MSSP space, they might be totally content to just leave those gaping wounds alone and simply monetize the flaw via security services...



Are Passkeys the Future? Apple Seems to Think So...

It's no secret that passwords are a pain in the butt. They can be difficult to remember, they're a huge target for cybercriminals, etc.

Read More

Alert: Follina aka CVE-2022-30190

A newly discovered exploit is using a flaw in Microsoft's Support Diagnostic Tool (MSDT) to remotely take over end-points via compromised Word...

Read More

Chaos/Yashma: The Torrid Tale of a GUI Based Ransomware Builder...

It used to take a good deal of coding knowledge to build a website or an application. That's not the case anymore. You can build a website in...

Read More