macOS, Windows 10 and Ubuntu Hacked at Pwn2Own 2020

By Imran Hussain  / 

macOS, Windows 10 and Ubuntu were some of the software that fell to exploits on day 1 of Pwn2Own 2020. A total of $180,000 was up for grabs for 9 bugs in 3 categories, and hackers were able to defeat the security mechanisms in three of the most popular desktop operating systems out there.

Due to coronavirus, the annual Pwn2Own event was held virtually, instead of in Vancouver, Canada. The hackers had prepared exploits in advance and sent them to organizers to demonstrate in a live presentation to all participants.

NIVIDIA’s RTX 3080 Getting Spec Upgrade? Might Ship With GA 102-200 And 4352 CUDA Cores

Apple’s desktop operating system was targeted through a vulnerability in Safari with a macOS kernel escalation of privilege. The winners were Georgia Tech Systems Software & Security Lab who won $70,000 for their successful exploit, which consisted of six bugs. The team also managed to disable System Integrity Protection on the Mac to show that kernel-level code access execution was acquired.

Windows 10 was hacked by Flourescence, a Pwn2Own veteran who used his use-after-free (UAF) bug to gain escalated system privileges in Windows. He won $40,000 for this successful exploit.

Ubuntu was hacked by RedRocket CTF team, with a local privilege escalation (LPE) exploit. An improper input validation bug in Ubuntu’s kernel was exploited to gain root access. The successful exploit received $30,000.

Lastly, on day 1, Fluoroacetate used another use-after-free bug in Windows 10 to gain system access from a standard user account. This bug was different than the one used by Flourescence. Fluoroacetate received $40,000 for the exploit.

On day 2, VirtualBox, Adobe Reader on Windows, and VMWare Workstation were hacked by various teams. While the teams behind exploits for VirtualBox and Adobe Reader won $40,000 and $50,000, respectively, the team behind VMWare Workstation hack was unable to demonstrate their exploit in the allotted time. The organizers later confirmed that the bug was valid.

Original iPhone SE with 32GB Storage, Rose Gold, Fully Unlocked, Renewed Available for Just $139

All the companies behind these operating systems and software were provided details of the exploits to help them fix the bugs in future updates. The companies are given 90 days to develop security patches. After this time has passed, the bugs are made public.

Somehow, neither Android nor iOS were part of any successful exploits this year, which is good news for users. However, as the Pwn2Own exploits show, no platform is 100% safe so it is advised that you follow best practices to keep your data secure.

Tweet Share
View Comments


Brand New Google Pixel 3a is $120 Off Right Now, Pixel 3a XL $160 Off

Bloodborne PS5/PC Remaster To Feature Improved Textures, 4K Resolution and 60 FPS Support; Demon's Souls Remake to Be Confirmed During the PS5 Digital Showcase Event - Rumor

Steam Game: Festival Summer Edition Just Got Delayed by One Week, Too

NVIDIA's GeForce RTX 3080 Flagship GPU Pictured For The First Time

Galaxy Note 20, Galaxy Fold 2 Launch Date Details Reportedly Leaked as Samsung Looks to Unveil Flagships Through an Online Event