Windows 11 has had a very, very bad week.
The newest operating system from Microsoft was trounced during Trend Micro’s Zero Day Initiative (ZDI) first Pwn2Own event this year after hackers compromised it 6 times over the course of 72 hours. In total seven hackers walked away with a combined $240,000 for their Windows 11 zero-day exploits.
The exact details regarding the exploits aren’t privy to the public (and for good reason) but we do have a summarized breakdown of the type of attack leverage and the reward money offered up.
They were as follows:
- Out-of-Bounds Escalation of Privilege exploit – $40,000 reward
- Elevation of Privilege Attack – $40,000 reward
- Improper Access Control Elevation of Privilege Attack – $40,000 reward
- Integer Overflow Exploit – $40,000 reward
- Improper Access Control Exploit – $40,000 reward
- Use-After-Free Vulnerability Elevation of Privilege Attack – $40,000
Windows 11 wasn’t the only Microsoft product to get knocked around. Microsoft Teams, a popular enterprise messaging platform was slammed as well with an additional $450,000 worth of prize money going out to three hackers ($150,000 going to each hacker).
The type of attacks used against Microsoft Teams are a little less clear but they include things like code injection, misconfigurations, and zero-click remote code execution exploits (among other things).
Microsoft has been touting the OS as being one of the most secure offerings ever released out of Redmond, WA. That may be true in certain regards, but if the hackers at Pwn2Own 2022 have anything to say about the matter there are plenty of holes left to be filled.
Or not filled rather. Considering Microsoft has just entered the MSSP space, they might be totally content to just leave those gaping wounds alone and simply monetize the flaw via security services…