Windows 11 really isn't as secure as we think it is

Windows 11 search bar on desktop, in insider build
(Image credit: Microsoft)

White hat hackers have managed to compromise Windows 11 three times in a single day during a recently held hacking contest, raising questions on the software's security.

The third and final day of the 2022 Pwn2Own Vancouver hacking contest saw three separate participants used zero-day vulnerabilities to crack open Microsoft’s latest operating system.

The first contestant was nghiadt12 from Viettel Cyber Security, who abused a Windows 11 escalation of privilege exploit, via Integer Overflow. The second and the third ones were Bruno Pujos and vnhthp1712 from REverse Tactics, who used Use-After-Free and Improper Access Control vulnerabilities to escalate privileges on the target endpoint.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

<a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" target="_blank">Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the <a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" data-link-merchant="polls.futureplc.com"" target="_blank">end of this survey to get the bookazine, worth $10.99/£10.99.

Hacking a car

Besides three successful attempts, there was also an unsuccessful attempt by Team DoubleDragon, which failed to demo the exploit within the deadline.

Ubuntu Desktop was also successfully hacked once, by STAR Labs' Billy Jheng Bing-Jhong it was added. Use-After-Free exploit was used in this attack, as well.

During the entire Pwn2Own 2022, a total of 17 competitors hacked Windows 11 multiple times, but also Ubuntu Desktop, Apple Safari, Oracle Virtualbox and Mozilla Firefox.

Since 2019, the competition has added a brand new category - automotive infotainment systems. This year, such a system in the Tesla 3 car was hacked. According to the media, a group called Sznactiv demonstrated a sandbox escape exploit in the infotainment system, allowing the attacker to assume control over the built-in computing device. 

The group was awarded $75,000 for the bug, but said that it could also be used to launch stage-two attacks with malware that could be a lot more destructive, and could even allow for full device takeover. Completely hacking a Tesla Model 3 earns the participant $600,000 and the car itself, Kurritu.org reported. 

More than a million dollars was paid out in rewards for the successful hacks, with vendors now having 90 days to fix the issues. Should they fail to meet the deadline, Trend Micro’s Zero Day Initiative will publicly disclose the flaws.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.