Chinese Pwn2Own sees fully patched iPhone 13, Chrome and Exchange server cracked
2 min. read
Published on
Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more
It is increasingly clear that security is just an illusion, as hackers consistently defeat even the most secure operating systems and platforms.
The latest report is from the Tianfu Cup cybersecurity contest, which saw a wide variety of devices and applications breached. Victims include the iPhone 13 Pro running iOS 15.0.2 breached twice with a remote code execution exploit and an iOS 15 jailbreak.
Microsoft could not gloat, as the company saw 5 successful exploits of Windows 10 and one for Exchange, while Google saw two exploits for Chrome.
Other affected targets include Adobe PDF, the Asus AX56U router, Docker CE, Parallels VM, QEMA VM, Ubuntu 20, VMware ESXi and Workstation.
Chinese hackers have to show off their work at Tianfu Cup as they have been banned from taking part in international contests such as Pwn2Own. There are concerns from some sources that the Chinese government could stockpile hacks for future cyberwarfare, as a new September 1st 2021 Chinese law requires Chinese citizens to disclose any zero-day vulnerabilities to the government.
“The Chinese government could stockpile a significant number of zero-days against widely used products in other regions and have access to the knowledge required to exploit these products before they’re successfully patched,” said Kristina Balaam, a senior security intelligence engineer at Lookout.
“This is the cyber equivalent of flying planes over Taiwan,” said Sam Curry, the chief security officer at Cybereason.
The winning hacks have however been disclosed to affected vendors. A Microsoft spokesperson told Forbes that “all vulnerabilities reported as part of the contest are disclosed responsibly and confidentially. Solutions to verified security issues that meet our criteria for immediate servicing are normally released via our monthly Update Tuesday cadence.” Google has already started rolling out fixes for the vulnerabilities found on the 16-17th October event in Chrome 95.0.4638.69, released on the 28th October 2021.
via Forbes
User forum
0 messages