The results of the two-day competition Pwn2own 2024, held annually as part of the Cansecwest conference in Vancouver, have been summed up. Various previously unknown vulnerabilities were exploited on Ubuntu Desktop, Windows 11, Docker, Oracle VirtualBox, VMware Workstation, Adobe Reader, Firefox, Chrome, Edge, and Tesla. A total of 23 successful attacks operating 29 previously unknown vulnerabilities were demonstrated.
During the attacks, the latest stable versions of applications, browsers, and operating systems with all available updates and in the default configuration were used. A total of $1,132,500 in rewards was paid out. Tesla, one of the targets, was additionally awarded the Tesla Model 3. The total rewards paid for the last three PWN2own competitions amounted to $3,494,750. The team with the highest number of points received $202,000.
Highlighted attacks:
- Four successful attacks on Ubuntu Desktop, which enabled the attacker to obtain Root rights (a bonus of $20,000 and $10,000, two bonuses of $5,000 each). Vulnerabilities were due to race conditions and buffer overflow.
- An attack on Firefox that bypassed the Sandbox isolation and allowed code execution in the system when opening a specially designed page (a bonus of $100,000). The vulnerability allowed unauthorized data access and substitution in privileged JavaScript objects. Mozilla quickly released Firefox 124.0.1 to address identified issues.
- Four attacks on Chrome, allowing code execution in the system when opening a specially designed page (one bonus of $85,000 and $60,000, two bonuses of