Highlights from Pwn2Own 2020

====================
TL;DR:

The following products were successfully exploited, please install the necessary updates for them when they become available: Apple Safari, Apple macOS, Ubuntu Desktop, Windows, Oracle VirtualBox and Adobe Reader
====================
As long-time readers of this blog will know, the Pwn2Own security conference with its white hacking contest is my favourite event of the year. Sophisticated vulnerability exploitation is showcased, the contestants receive large sums of money and we as consumers receive safer products to use on a day to day basis. It took place late last week virtually due to the Coronavirus. The results from both days of competition can be found here. The total prize was USD $270,000.

The winners of the competition were Richard Zhu and Amat Cama of Team Fluoroacetate winning the Master of Pwn title and USD $90,000 in prize money.

Returning to the trend of previous years, exploits against the Apple macOS kernel (defined) and Windows kernel were common again. These are high severity vulnerabilities but when addressed will make our systems safer.

The vendors have up to 90 days to resolve the vulnerabilities before public disclosure. Please expect and apply the necessary security updates to the affected as they become available

Thank you.

Pwn2Own 2019 Results

TL DR: With popular products such as the Tesla Model 3, Apple Safari, Mozilla Firefox, Oracle VirtualBox, VMware Workstation Pro and Microsoft Edge being successfully exploited; please install the necessary updates when they become available.

The annual white hat hacking contest known as Pwn2Own took place last week. Detailed results from all 3 days are available from this link.

Day 3 saw initially two teams attempting to exploit a Tesla Model 3 before one withdrew. The team Fluoroacetate made up of both Richard Zhu and Amat Cama successfully exploited the infotainment system of the Tesla earning them a further $35,000 and the car itself. They earned $375k in total and became the Master of Pwn for 2019. The contest overall distributed $545k for 19 vulnerabilities.

In contrast to previous years the researchers have targeted vulnerabilities other than those within the operating system kernel (defined) to obtain a total system compromise. Only 3 times were exploits on the OS kernel used this year (one exploit was used in conjunction when exploiting each of the web browsers Apple Safari, Microsoft Edge and Mozilla Firefox).

We can expect updates for each of the exploited products over the coming weeks and months (the vendors have up to 120 days to resolve the vulnerabilities before public disclosure). Mozilla released Firefox 66.0.1 and 60.6.1 to resolve the 2 Firefox CVEs (defined) disclosed during the contest.

If you use the affected products, please keep current with the necessary updates. Thank you.

March 2019 Update Summary

====================
Updated: 21st March 2019
====================
Two of the vulnerabilities patched by Microsoft (CVE-2019-0797, CVE-2019-0808) were zero day (defined) vulnerabilities being actively exploited in the wild. Four other vulnerabilities were publicly known (CVE-2019-0683, CVE-2019-0754, CVE-2019-0757 and CVE-2019-0809).

Separately the Google Chrome vulnerability mentioned below namely CVE-2019-5786 was also being exploited by attackers.

After publishing my original post; Adobe and Microsoft jointly reported that while a newer version (32.0.0.156) of Flash Player was made available it only resolves non-security bugs.

I have updated the suggested installation order (below) to reflect this new information. Thank you.

====================
Original Post:
====================
As scheduled; earlier today Microsoft and Adobe made available their security updates. Microsoft addressed 65 vulnerabilities (more formally known as CVEs (defined)) with Adobe resolving 2 vulnerabilities.

For Adobe; if you have not already done so; if you manage an installation of Adobe ColdFusion or know someone who does, please apply the necessary updates made available earlier this month. That update addressed a single priority 1 zero day (defined) vulnerability being exploited in the wild. Today’s Adobe updates are as follows:

Adobe Digital Editions: 1x priority 3 CVE resolved

Adobe Photoshop CC: 1x priority3 CVE resolved

If you use the affected Adobe products; please install their remaining priority 3 updates when you can.

This month’s list of Known Issues is now sorted by Microsoft within their monthly summary page and applies to all currently supported operating systems:

KB4489878          Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

KB4489881          Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

KB4489882          Windows 10 version 1607, Windows Server 2016

KB4489883          Windows 8.1, Windows Server 2012 R2 (Security-only update)

KB4489884          Windows Server 2012 (Security-only update)

KB4489885          Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

KB4489891          Windows Server 2012 (Monthly Rollup)

KB4489899          Windows 10 version 1809, Windows Server 2019

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Kernel: CVE-2019-0797, CVE-2019-0808

Windows DHCP Client: CVE-2019-0697 , CVE-2019-0698 , CVE-2019-0726

Microsoft XML: CVE-2019-0756

Scripting Engine: CVE-2019-0592 , CVE-2019-0746 , CVE-2019-0639 , CVE-2019-0783 , CVE-2019-0609 , CVE-2019-0611 , CVE-2019-0666 , CVE-2019-0769 , CVE-2019-0665 , CVE-2019-0667 , CVE-2019-0680 , CVE-2019-0773 , CVE-2019-0770 , CVE-2019-0771 , CVE-2019-0772

Visual Studio Remote Code Execution Vulnerability: CVE-2019-0809

Microsoft Active Directory: CVE-2019-0683

NuGet Package Manager Tampering Vulnerability: CVE-2019-0757

Windows Denial of Service Vulnerability: CVE-2019-0754

Microsoft Dynamics 365: a privilege escalation vulnerability (defined) has been addressed (this product is also widely deployed)

If you use Microsoft IIS (Internet Information Services), please review advisory: ADV190005

====================
Please install the remaining updates at your earliest convenience.

As always; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Google Chrome:
=======================
Google released Google Chrome version 72.0.3626.121 to address a single zero day (defined) vulnerability under active exploit. The vulnerability was a high severity use-after-free (defined) flaw in Chrome’s FileReader API (defined) which could have led to information disclosure of files stored on the same system as Chrome is installed.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Notepad++:
=======================
Notepad++ 7.6.4 was released on the 6th of March resolving 8 security issues. This version follows another from January which resolved 7 other vulnerabilities. If you use Notepad++, please update to the newest version to benefit from these security fixes.

Notepad++ 7.6.6 was released to resolve a critical regression in 7.6.5 which caused Notepad++ to crash. Version 7.6.5 resolved a further 6 security vulnerabilities.

If you use Notepad++, please update to the newest version to benefit from these reliability and security fixes.

Thank you.

=======================
Mozilla Firefox
=======================
Update: 25th March 2019: As detailed in the Pwn2Own 2019 results post; Mozilla released a further update for Firefox and Firefox ESR bringing their version numbers to 66.0.1 and 60.6.1 respectively. Both updates resolve 2x critical CVEs. Please consider updating to these versions as soon as possible.

=======================
In the latter half of March Mozilla issued updates for Firefox 66 and Firefox ESR (Extended Support Release) 60.6:

Firefox 66.0: Resolves 5x critical CVEs (defined), 7x high CVEs, 5x moderate CVEs and 4x low CVEs

Firefox 60.6: Resolves 4x critical critical CVEs, 4x high CVEs and 2x moderate CVEs

Firefox 66 introduces better reliability (since crashes have been reduced) and improved performance. In addition, smooth scrolling has been added. The blocking of websites automatically playing audio or video content is now also present. These and other features are discussed in more depth here and here.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
VMware:
=======================
VMware issued 2 security advisories during March:
Security Advisory 1: Addresses 2x important severity CVEs in the following products:

VMware Player
VMware Workstation Pro

Security Advisory 2: Addresses 1x moderate severity CVE in the following products:

VMware Horizon

If you use the above VMware products, please review the security advisories and apply the necessary updates.

=======================
Putty:
=======================
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.71 in mid-March. It contains 8 security fixes (see below). They are a result of the bug bounties awarded through the EU-Free and Open Source Software Auditing (EU-FOSSA) (discussed previously in this post). Version 0.71 is downloadable from here.

If you use Putty, please update it to version 0.71. Thank you.

Security vulnerabilities fixed:

• vuln-auth-prompt-spoofing: Authentication prompts can be spoofed by a malicious server
• vuln-chm-hijack: Potential malicious code execution via CHM hijacking
• vuln-fd-set-overflow: Buffer overflow in Unix PuTTY tools if server opens too many port forwardings
• vuln-rng-reuse: Cryptographic random numbers can occasionally be reused
• vuln-rsa-kex-integer-overflow: Integer overflow due to missing key-size check in RSA key exchange code
• vuln-terminal-dos-combining-chars: DoS if many Unicode combining characters are written to the terminal
• vuln-terminal-dos-combining-chars-double-width-gtk: DoS by terminal output involving combining characters, double-width text, an odd number of terminal columns, and GTK
• vuln-terminal-dos-one-column-cjk: DoS by terminal output if a CJK wide character is written to a 1-column-wide terminal

=======================

=======================
Nvidia Geforce Experience Software:
=======================
In late March , Nvidia released a security advisory for their Geforce Experience software for Windows. This update resolves 1 high severity vulnerabilities (as per their CVSS base scores). The necessary updates can be applied by opening Geforce Experience which will automatically updated it or the update can be obtained from here.

=======================
GOG Galaxy
=======================
Golden Old Games (GOG) has published an update for their popular game distribution platform GOG Galaxy. It resolves 2 critical vulnerabilities. Additionally, 2 high severity and 2x medium severity vulnerabilities were also resolved. These vulnerabilities are discussed in more detail in this Cisco Talos blog post and within this Kaspersky ThreatPost article. Please update GOG Galaxy to version 1.2.54.23 or later to resolve these vulnerabilities.

I don’t often post about vulnerabilities in gaming clients/gaming distribution clients but like any software; security updates can and are made available for them.

Pwn2Own 2018 Results

Earlier this month the annual Pwn2Own white hat (defined) hacking contest took place, shortened from 3 days to 2 days.

This year’s competition was also impacted by a recent regulatory change meaning that Chinese participants were unable to attend. This is unfortunate since previous yeas competitions have been excellent and this had a real impact on the success of this year’s competition; perhaps next years will be better? Further details of the regulatory change are detailed here.

The following products were successfully exploited this year resulting in USD$267k being awarded. Exploits which could not be completed in the allocated time of 30 minutes were also purchased; which is fair in my opinion since they could still be a threat and the researchers more than deserve the credit for the time and effort they invest.

Similar to previous years; kernel (defined) exploits were used each time to exploit the web browsers due to the sandboxing (defined) technology used to security harden them.

As noted in this article (and my previous blog posts) kernels are becoming even more complex and can easily consist of millions of lines of code. My previous advice of static analysis/auditing/fuzzing (defined here and here) still applies. These won’t detect every vulnerability but will significantly reduce them. As before writing more secure code using the development practices discussed in last year’s Pwn2Own post will reduce the vulnerability count even further; both now and into the future.

Just like last year Mozilla updated Firefox very quickly; this time in less than a day to version 59.0.1 and 52.7.2 ESR.

The full list of products exploited is provided below. Thank you.

=======================
Apple Safari (2 attempts were successful using macOS kernel elevation of privilege (defined) vulnerabilities

Microsoft Edge

Mozilla Firefox

Oracle VirtualBox
=======================

March 2018 Update Summary

====================
Update: 5th April 2018:
====================
On the 3rd of April, Microsoft released an out of band security update for the Microsoft Malware Protection Protection Engine. Further details are available in this separate blog post.

====================
Separately Microsoft have since issued an update, KB4099950 to resolve the issue detailed below affecting the network adapter on Windows 7.

The new update KB4099950 must be installed before KB4088875 and KB4088878 (I assume if this is not the case that KB4088875 and KB4088878 could be uninstalled first?)

If you were experiencing any of the following issues on Windows 7 or Windows Server 2008 R2, please install the above update to resolve them:

====================
A new Ethernet Network Interface Card (NIC) that has default settings may replace the previous NIC and cause network issues.

Static IP address setting are lost.

These symptoms may occur on both physical computers and virtual machine that are running VMware.
====================

Thank you.

====================
Update: 1st April 2018:
====================
Microsoft have issued an out of band update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit to resolve resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of these Windows version, please see my new post for further details.

This post has also been updated with further software releases (please see below).

If you have already checked for updates and are not seeing any being offered for your Windows 7 or Windows 8.1 system, please ensure your anti-malware software is up to date. This article explains why this change was implemented by Microsoft. It also provides recommendations of how to resolve the issue of no updates being available. Windows 10 is not affected by this issue.

A known issue of a second network adapter appearing within Windows 7 has also been documented. If this occurs for you with March’s updates, this news article may be of assistance in resolving it. It is anticipated that Microsoft will resolve this issue in this month’s upcoming security updates.

Thank you.

====================
Original post:
====================
Last Tuesday Microsoft began distributing their scheduled security updates to resolve 74 vulnerabilities assigned to the same number of CVEs (defined). Microsoft have provided further details are provided within their Security Updates Guide.

This month there are 12 knowledge base articles detailing potential issues (some of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4088787

4088782

4088776

4088786

4088779

4088876

4088879

4088875

4088878

4089344

4089229

4090450

====================

In addition to these updates; Adobe released updates for the following products:

Adobe Connect (priority 3, 2 CVEs)

Adobe Dreamweaver CC (priority 3, 1 CVE)

Flash Player v29.0.0.113 (priority 2, 2 CVEs)

Non-Microsoft browsers should update automatically e.g. Google Chrome released an update on Tuesday which includes the new Flash Player. Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI will be phased out very soon):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:

====================

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Windows Shell (CVE-2018-0883)

CredSSP (CVE-2018-0886): Please also enable the Group Policy setting to fully mitigate this issue. Further updates will be made available in subsequent months.

Microsoft Office (consisting of CVE-2018-0903 and CVE-2018-0922)

====================

Similar to last month additional updates for Spectre vulnerability were made available for Windows 10 Version 1709. Further updates are planned and will be listed in this knowledge base article.

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

===============

=======================
Mozilla Firefox:
=======================
This month Mozilla issued 3 sets of security updates for Firefox and Firefox ESR (Extended Support Release):

16th March: Firefox 59.0.1: Resolves 2x critical CVEs (1 of which originated from Pwn2Own 2018).

13th March: Firefox 59: Resolves 2x critical CVEs, 4x high CVEs, 7x moderate CVEs, 5x low CVEs

13th March: Firefox ESR 52.7: Resolves 2x critical, 3x high CVEs, 2x moderate CVEs

26th March: Firefox 59.0.2: Resolves 2x high severity CVEs

26th March: Firefox 52.7.3 ESR: Resolves 1x high severity CVE

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Malwarebytes Anti-Malware
=======================
Earlier this month Malwarebytes made available version 3.4.4 of their anti-malware product. While the update provides stability and performance improvements it also updates the 7-Zip DLL (defined) within it to version 18.01.

Please install this update using the steps detailed in this Malwarebytes forum post. Further details of the improvements made are available in this BleepingComputer article.

=======================
Google Chrome:
=======================
This month Google made available 4 updates for Google Chrome; one in early March and the other in mid-March. The more recent updates resolves 45 security issues while the update from the 20th of March resolves 1 security issue.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Nvidia Geforce Drivers:
=======================
This update (released on the 28th of March 2018) applies to Linux, FreeBSD, Solaris and Windows and resolves up to 8 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

=======================
OpenSSL
=======================
On the 27th of March; the OpenSSL Foundation issued 2 updates for OpenSSL to address 1x moderate security vulnerability and 2x low severity issues as detailed in this security advisory. To resolve these issues please update your OpenSSL installations to 1.1.0h or 1.0.2o (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
VMware
=======================
VMWare issued update for the following products on the 15th of March to address one important severity security vulnerability:

• VMware Workstation Pro / Player (Workstation)
• VMware Fusion Pro / Fusion (Fusion)

Please review this security advisory and apply the necessary updates.

=======================
Apple security updates:
=======================
In the final week of March Apple made available security updates for the following products:

=======================
Apple tvOS 11.3

Apple iOS 11.3

Apple watchOS 4.3

Apple Safari 11.1

Apple macOS High Sierra 10.13.4, Sierra and El Capitan

Apple iTunes 12.7.4 for Windows

Apple iCloud for Windows 7.4
=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

Further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
WinSCP
=======================
In late March; WinSCP version 5.13.1 was released upgrading it’s embedded OpenSSL version to 1.0.2o (which addresses 1x moderate CVE).

Google offers financial and technical support to open source projects

Early last week Google shared their results after beginning a project to fuzz (defined) test open source software (defined). Their project is currently processing 10 trillion test cases per day. Open source projects involved in this initiative include GNUTLS, BoringSSL, FFMpeg, JSON, Libpng, LibreOffice, LibSSH, OpenSSL and Wireshark (among many well-known others).

What is the purpose of their project?
The purpose of fuzzing is to repeatedly and thoroughly test how robust/secure the code of the enrolled open source projects is. More than 1000 bugs have found so far (approximately 264 of which were potential security vulnerabilities).

As Google points out, this also helps to increase the reliability of the software being created since regressions (defined) are fixed within hours before they ever affect a user. Another aspect of this is other software bugs e.g. logic errors can be detected and corrected sooner.

In return for a project signing up to this initiative, Google have pledged to provide extra funding:

1. $1,000 USD for initial integration of the OSS-Fuzz tests into their development process
2. Up to $20,000 USD for ideal integration (an itemised list of how this figure is obtained is detailed here).

How this project become to be developed?
I have mentioned the Core Infrastructure Initiative (CII) on this blog before. This fuzzing project was created with assistance from the CII to benefit projects critical to the global IT infrastructure. This project is in progress alongside Project Wycheproof (with its objective to strengthen cryptographic implementations by having new implementations pass a series of tests to verify they are not affected by these particular implementation issues being checked for).

How does this project help the wider industry/community?
With projects such as those mentioned above used by large corporations, small business and consumers alike; the regular feature/security updates we all receive make these projects more stable and secure than they otherwise would be. The outcomes will be very similar to that of Pwn2Own.

With these benefits for the projects as well as all of their users, I hope projects such as this continue and expand in scope as time progresses.

Thank you.

Pwn2Own 2017 Results

The final day of competition within Pwn2Own 2017 took place on Friday, 17th March. Full details of how the individual teams performed and how many exploits were successful are available here , here and here.

In summary the following products were successfully exploited:

Adobe Flash
Adobe Reader
Apple Safari
Apple macOS (mostly the macOS kernel)(defined)
Microsoft Edge
Microsoft Windows kernel
Mozilla Firefox
Ubuntu Linux
VMware Workstation

The contest saw 51 vulnerabilities used and a total of USD$833,000 awarded to the contestants (a very large increase over last year’s USD$460K). As I noted last year, many vulnerabilities once again were present within the macOS and Windows kernels specifically:

Apple macOS kernel:
race condition (defined)
information disclosures (defined)
out of bounds (OOB) bug (defined)

Microsoft Windows kernel:
integer overflows (defined)
buffer overflows (defined)
uninitialised buffers (discussed here)
use-after-free (defined here and here)
information disclosures
out of bounds (OOB) bug
race condition

As before Microsoft and Apple need to do more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel to find and resolve vulnerabilities before they are exploited. It is a surprise this year again highlights this short coming which secure coding practices e.g. Microsoft’s SDL and Adobe’s SPLC (among others) were intended to reduce.

Of note is; Mozilla Firefox released Firefox 52.0.1 to resolve an integer flow vulnerability in less than 1 day after it’s disclosure during Pwn2Own; a fantastic response time.

=======================
Update: 28th March 2017:
=======================
On the 28th of March, VMware made available security updates to address the vulnerabilities discovered during Pwn2Own.

Apple have also made available updates (listed in this post) to resolve the vulnerabilities discovered in Pwn2Own 2017. It is unclear if all vulnerabilities are now addressed.

=======================
Update: 11th April 2017:
=======================
In late March, the Linux kernel vulnerability disclosed during Pwn2Own was resolved very quickly with Ubuntu also releasing their fix for this issue.

Adobe have released updates for Flash and Acrobat/Reader to address what appears to be 5 vulnerabilities in Flash and 6  in Acrobat/Reader (assuming near sequential CVEs and the team names attributed top them) disclosed during Pwn2Own.

We can again look forward to these vulnerabilities being addressed over the coming months; helping to make our products more secure.

Thank you.

Pwn2Own 2017 Contest Announced (Tenth Anniversary)

=======================
Update: 19th March 2017:
=======================
A more recent blog post discusses the results of the 2017 Pwn2Own contest.

Thank you.

=======================
Original Post:
=======================
With the month of March not too far away, I’m looking forward to the annual Pwn2Own contest taking place in Vancouver, Canada. Regular readers of this blog will know of the benefits it brings and why I look forward to it each year.

This year sees the return of Adobe Reader to the competition; a good decision due to the large numbers of vulnerabilities still being patched. I applaud the decision of Mozilla Firefox returning too since a zero day (defined) exploit was seen in recent times. It’s also in the top 3 in terms of usage. With a 64 bit version now available it should increase usage/competitiveness even further.

The full list of products that will be in the competition is here.

Just some of the interesting new additions are Ubuntu, Microsoft Hyper-V and Microsoft Office applications, which have never been present before. With vulnerabilities being patched routinely for all three of categories (especially for Microsoft Office), their inclusion should help us all when vulnerabilities are exploited and the researchers rewarded for their excellent work.

With the rise of malware for Apple Mac OS X and Linux it’s great to see them both in the contest this year. Previously only Mac OS was present.

Since the contest is celebrating its 10th anniversary it’s great to see other additions such as the Apache web servers and Ubuntu servers too. I often see servers installed and patched very little, if at all. This leads to situations where servers continue to have vulnerabilities long after they have been patched (more on that in this blog post). As for web servers, cross site scripting and CSRF remain consistent threats.

With extra points awarded for root access (defined) for Mac OS X or System level (defined) access for Windows this year’s contest is bigger than ever. With the more vulnerabilities that are found by the researchers the more they are awarded and the more everyone benefits by the vulnerabilities being responsibly disclosed (defined) to their vendors.

I will write another post when the results of this year’s contest are available and will discuss any highlights and how they will benefit us as users of these products.

Thank you.

Pwn2Own 2016 Highlights Kernel Exploits

Update: 19th March 2017:
Apologies for not continually updating this post detailing the fixes for each issue identified. When I attempted to do so I found it wasn’t possible to identify the fixes.

During Pwn2Own CVE numbers (defined) are generally not assigned to the vulnerabilities found or other similar identifiers when publishing the results. With the availability of security updates which include CVEs you cannot tell if they refer to Pwn2Own issues or simply routine responsible disclosures.

Occasionally vendors will mention they have resolved a Pwn2Own vulnerability but not always. In addition the names of the researchers who took part in the contest are frequently present in routine disclosures making singling out specific vulnerabilities more difficult.

Thank you for your understanding.

=======================
Update: 25th March 2016:
=======================
The first security issue to be addressed as a result of this year’s Pwn2Own contest was a vulnerability in Google Chrome as detailed in a more recent blog post.

Thank you.

=======================
Original Post:
=======================
As scheduled the final day of Pwn2Own 2016 took place on the 17th of March. Full details of how the individual teams performed and how many exploits were successful are available here and here. In summary Adobe Flash, Apple Safari and Microsoft Edge were successfully exploited with Google Chrome only partially exploited using a known issue.

As noted by Trend Micro the highlights of this year’s contest include that every exploit presented achieved System/root privileges (separately defined) which took advantage of flaws such as buffer overflows (defined) within the kernels (defined) of these products. With the change of focus of exploits targeting the kernel this is a worrying trend and highlights the need for more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel by the vendors to find and resolve vulnerabilities before they are exploited.

The prize money of $460k earned by the participants is truly amazing. Pwn2Own was again a great success and we can look forward to the issues found in the above mentioned products to be fixed and rolled-out to us in the coming months.

Thank you.

Upcoming Pwn2Own 2016 Contest Announced

Update: 20th March 2016:
A more recent blog post discusses the outcome of Pwn2Own 2016.

Thank you.

=======================
Original Post
=======================
Next month on March the 16th and 17th the annual CanSecWest security conference will take place. As you know I’m a particular fan of this since it includes the Pwn2Own contest.

This year Mozilla Firefox and Adobe Reader won’t be included. Exploits for Firefox are quite rare while exploits for Adobe Reader have mostly ceased to be used by exploit kits (defined) in recent years so I can see why this decision was made. However while this is the case, we still see security updates being made available for both of these products on a regular basis. Other changes are the fact that the operating systems to be exploited won’t be directly installed on the computers within the contest but within VMware virtual machines (VMs). Additional prize money will be awarded if the researchers can have their exploits escape from within the VMs.

This contest will mark the first time that Apple Mac OS X 10.11 (“El Capitan”), Microsoft Edge and Windows 10 will be part of the competition as security researchers attempt to exploit the very latest versions of these products. Similar to last year Microsoft EMET will be used to make the exploitation of vulnerabilities more difficult. Whether more vulnerabilities will be found in EMET or if it simply present for the purpose mentioned above remains to be seen.

Further details of this year’s contest are available here. I will post again when the results of the contest are known and will include any highlights that we as users of the software present in the contest can look forward to being more secure and/or whether as a result of the contest more security features will be added.

Thank you.