Skip to main content

Windows 10 falls victim to hackers, but not how you might think

Windows 10
(Image credit: Shutterstock)

Security researchers squaring off at the Pwn2Own hacking competition have discovered various vulnerabilities in Microsoft’s Windows 10 operating system.

During the first two days of the event, which is run by the Zero Day Initiative, three Windows 10 exploits were identified, none of which had previously been documented.

The first, discovered by Team Viettel, saw an integer overflow bug abused to escalate user privileges, and the same feat was performed by researcher z3ro9 on the second day of the event via a similar flaw.

Finally, Tao Yan of Palo Alto Networks managed to alter the permissions of a regular user to SYSTEM levels by exploiting a Race Condition bug.

If exploited in the wild, these exploits could have allowed malicious hackers to make changes and install applications on target devices and gain access to sensitive systems unavailable to regular users.

Windows 10 vulnerabilities

The Pwn2Own competition has been running for 14 years now, during which period it has grown from a small event focused specifically on web browsers into a different beast entirely. This year, more than one million dollars in prize money is available to participants.

For the discovery of their respective Windows 10 bugs, both Yan and z3ro9 were awarded $40,000, as well as a handful of Master of Pwn points, which are used to determine the best performing hacker at the show.

Windows 10 is not the only product to have been hacked during the event, however. Researchers also discovered a Type Mismatch bug in web browsers Google Chrome and Microsoft Edge, while a zero click exploit chain was used to establish code execution on a target device via Zoom Messenger.

The final day of the event will see contestants set their sights once again on Windows 10, but also Microsoft Exchange, Ubuntu Desktop and Parallels Desktop.

All vendors whose products are exploited successfully at Pwn2Own will be briefed on the issues and given 90 days to release the necessary patches.

Via BleepingComputer