Skip to main content

Windows 10 falls victim to hackers, but not how you might think

Windows 10
(Image credit: Shutterstock)
Audio player loading…

Security researchers squaring off at the Pwn2Own hacking competition have discovered various vulnerabilities in Microsoft’s Windows 10 operating system (opens in new tab).

During the first two days of the event, which is run by the Zero Day Initiative, three Windows 10 (opens in new tab) exploits were identified, none of which had previously been documented.

The first, discovered by Team Viettel, saw an integer overflow bug abused to escalate user privileges, and the same feat was performed by researcher z3ro9 on the second day of the event via a similar flaw.

Finally, Tao Yan of Palo Alto Networks managed to alter the permissions of a regular user to SYSTEM levels by exploiting a Race Condition bug.

If exploited in the wild, these exploits could have allowed malicious hackers to make changes and install applications on target devices and gain access to sensitive systems unavailable to regular users.

Windows 10 vulnerabilities

The Pwn2Own competition has been running for 14 years now, during which period it has grown from a small event focused specifically on web browsers (opens in new tab) into a different beast entirely. This year, more than one million dollars in prize money is available to participants.

For the discovery of their respective Windows 10 bugs, both Yan and z3ro9 were awarded $40,000, as well as a handful of Master of Pwn points, which are used to determine the best performing hacker at the show.

Windows 10 is not the only product to have been hacked during the event, however. Researchers also discovered a Type Mismatch bug in web browsers Google Chrome and Microsoft Edge, while a zero click exploit chain was used to establish code execution on a target device via Zoom (opens in new tab) Messenger.

The final day of the event will see contestants set their sights once again on Windows 10, but also Microsoft Exchange, Ubuntu (opens in new tab) Desktop and Parallels Desktop.

All vendors whose products are exploited successfully at Pwn2Own will be briefed on the issues and given 90 days to release the necessary patches.

Via BleepingComputer (opens in new tab)

Joel Khalili
Joel Khalili

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.