The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Exchange, Teams, Zoom, Hacked at Pwn2Own 2021

by Chris Brook on Thursday April 8, 2021

Contact Us
Free Demo

The annual hacking competition will see 23 attempts against operating systems, virtualization software, and browsers.

Browsers including Google Chrome, Microsoft Edge, and Apple Safari, along with Microsoft Teams, Windows 10, Exchange, Zoom, and Ubuntu Desktop all fell this week as hackers took aim at Pwn2Own, the annual hacking competition put on by Trend Micro's Zero Day Initiative.

After two days, hackers have earned $1.06 million of the roughly $1.5 million prize pool for Pwn2Own 2021.

While Pwn2Own is usually held alongside CanSecWest in Vancouver, because of the COVID-19 pandemic, this year's is being held remotely; contestants are submitting exploits remotely and ZDI staff in Toronto and Austin, Texas, are running them.

New this year - because of the increased usage of collaboration platforms like Zoom, Slack, and Microsoft Teams - is the competition's Enterprise Communications category. Two platforms in the category were successfully hacked, Zoom and Microsoft Teams.

Daan Keuper and Thijs Alkemade from Computest, a Danish IT firm, used three bugs to get code execution on Zoom Messenger. A researcher that goes by the name of OV took down Teams by using two bugs. Both exploits earned the contestants $200,000.

The exploit against Zoom sounds as if it was especially thrilling, coming with just 10 seconds left of the pair’s second attempt, occurring all without the target clicking anything.

As far as the other bugs go, on day one, a group of contestants going under the guise of Devcore paired an authentication bypass and a local privilege escalation to takeover an Exchange server. Windows 10 and Ubuntu Desktop also fell on day one.

On day two, Bruno Keith & Niklas Baumstark of Dataflow Security used a Typer Mismatch bug to exploit the Chrome renderer and Microsoft Edge. The team earned $100,000. Other successes from day two include Parallels Desktop in the virtualization category, Chrome and Edge, and Ubuntu Desktop again.

As is usually par for the course with Pwn2Own week, many of these vulnerabilities should be patched in short order, either with an out of band patch or the next regularly scheduled round of updates. While vendors have 90 days to produce fixes for the vulnerabilities reported, some roll out patches much quicker. Mozilla engineers patched a Firefox vulnerability in less than a day a few years ago.

While the details of the Exchange bug aren’t fully known - other than that it combined an authentication bypass and a local privilege escalation - the fact that it even surfaced adds fuel to the proverbial Exchange fire from the last month.

Adminstrators have had their hands full over the last month plus scrambling to patch four zero day vulnerabilities in Microsoft Exchange Server that were being used in active attacks against enterprises by a state-sponsored hacking group, Hafnium. Microsoft said in late March that Microsoft earlier this week said that 92% of vulnerable Exchange servers had been patched or had mitigations applied.

One of the largest hacking competitions, Pwn2Own concludes Thursday with another attempt against Exchange, Parallels Desktop, Windows 10, and Ubuntu Desktop.

Tags: Vulnerabilities

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.