Microsoft Teams And Windows 11 Hacked At Pwn2Own 2022

This year’s Pwn2Own 2022 event marks the 15th year of the annual hacking competition, which will run from May 18 to May 20. The Pwn2Own contest, which is organized and sponsored by Trend Micro’s Zero Day Initiative (ZDI), runs every year during the CanSecWest security conference in Vancouver, Canada.

For those unaware, Trend Micro, a global leader in cyber-security solutions, hosts Pwn2Own in an effort to promote its ZDI program, which is designed to reward security researchers to exploit hardware and software loopholes in products and services and demonstrate and disclose them to tech companies.

Following the contest, vendors will have 90 days to produce patches for these bugs.

The first day of the Pwn2Own competition kickstarted on May 18th with security researchers earning a total of $800,000 for discovering 16 zero-day bugs on multiple products and services. Among them, hackers were able to break into Microsoft Teams and Windows 11 multiple times in a single day.

Table Of Contents

Microsoft Teams

Hector “p3rr0” Peralta was the first to target Microsoft Teams in the Enterprise Communications category. He exploited an improper configuration flaw against Microsoft’s corporate messenger and won $150,000 for his findings.

Next to target, Microsoft Teams was Masato Kinugawa who executed a 3-bug chain of infection, misconfiguration, and sandbox escape earning $150,000 for the exploit.

Besides Kinugawa, other security researchers such as Daniel Lim Wee Soong, Li Jiantao, & Ngo Wei Li of the STAR Labs team too were able to successfully demonstrated their zero-click exploit of 2 bugs (injection and arbitrary file write) on Microsoft Teams, which won them $150,000.

Windows 11

Microsoft claims that Windows 11 provides enhanced phishing protection against targeted phishing attacks and cybersecurity threats.

However, these claims were proved wrong Marcin Wiązowski was able to execute an out-of-bounds write escalation of privilege on Microsoft Windows 11. He was awarded $40,000 and earned high praise from the Microsoft Team.

Phan Thanh Duy and Lê Hữu Quang Linh of the STAR Labs team too were able to exploit Microsoft Windows 11 by using a Use-After-Free elevation of privilege. Their finding earned them $40,000.

Besides Microsoft Teams and Windows 11, hackers were also able to successfully exploit products and services from Mozilla Firefox, Oracle Virtualbox, Ubuntu Desktop, and Apple Safari on the first day of the event.

For more details on the Day One results of the Pwn2Own 2022 contest, you can click here.