Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Oracle VirtualBox, Adobe Reader, Windows Hacked at Pwn2Own 2020

On the second day of the Pwn2Own 2020 hacking competition, participants earned a total of $90,000 for exploits targeting Oracle VirtualBox, Adobe Reader and Windows.

On the second day of the Pwn2Own 2020 hacking competition, participants earned a total of $90,000 for exploits targeting Oracle VirtualBox, Adobe Reader and Windows.

Phi Phạm Hồng of STAR Labs received $40,000 for successfully demonstrating a VirtualBox exploit that resulted in a guest OS escape and arbitrary code execution on the host. The exploit involved out-of-bounds read and uninitialized variable bugs.

Amat Cama and Richard Zhu of team Fluoroacetate earned $50,000 for demonstrating that they could hijack a system by exploiting use-after-free vulnerabilities in Adobe Reader and the Windows kernel.

The Synacktiv team attempted to hack VMware Workstation, but their attempt failed. At the end of the day, Lucas Leong of the Zero Day Initiative (ZDI) — ZDI organizes Pwn2Own —- had a special demonstration: a guest-to-host escape on VirtualBox.

On the first day of the event, researchers earned a total of $180,000 for hacking Windows 10, Ubuntu Desktop, Safari and macOS, which brings the total paid out this year to $270,000. Cama and Zhu were once again declared the winners of the competition.

Pwn2Own typically takes place at the CanSecWest cybersecurity conference in Vancouver, Canada, and participants have to attend in person. However, due to concerns related to the COVID-19 coronavirus outbreak, ZDI has decided to make the event completely virtual.

The total amount paid out this year is half of what researchers earned in 2019, when Cama and Zhu alone won $375,000, and a Tesla for hacking the car’s web browser.

Advertisement. Scroll to continue reading.

When it initially announced Pwn2Own 2020, ZDI again invited researchers to hack a Tesla. However, since the automotive category requires in-person participation, any Tesla hacking attempts have been postponed “until it’s practical and safe to gather in a group setting,” ZDI told SecurityWeek.

Related: Researchers Earn $280,000 for Hacking Industrial Systems at Pwn2Own Miami

Related: Bug Hunters Earn $195,000 for Hacking TVs, Routers, Phones at Pwn2Own

Related: IoT Category Added to Pwn2Own Hacking Contest

Related: Bug Hunters Hack Samsung Galaxy S10, Xiaomi Mi9 at Pwn2Own

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem