A View of Upcoming Threat Coverage from Pwn2Own 2018
Credit to Author: Elisa Lippincott (TippingPoint Global Product Marketing)| Date: Wed, 14 Mar 2018 21:18:38 +0000
This blog will be updated throughout the competition so keep tracking for the latest updates on upcoming threat coverage!
St. Patrick’s Day is coming up later this week, but the contestants at Pwn2Own 2018 will need more than luck on their side. They will need to dive into their expert hacking skills in the hopes of winning cash and prizes. We are in Vancouver for the Pwn2Own competition and excited to welcome Microsoft as a partner and VMware as a sponsor. This year, we have seven entries from five contestants targeting products across two of the categories. There were additional entries, but they were forced to withdraw from the competition for a number of reasons.
We have team members from Trend Micro Research (which includes the Zero Day Initiative team) onsite as usual, meeting with each of the contestants and dissecting the code and exploits in order to provide zero-day protection for Trend Micro customers. We never know what will happen when we arrive at the contest. Whether or not Pwn2Own falls near or right after a Microsoft Patch Tuesday, many vendors will make it a point to issue patches ahead of the contest. So, for example, if a contestant happens to be working on a Microsoft vulnerability, their entry could be thwarted by Microsoft’s updates. A couple of the entries that were withdrawn this year fell “victim” to vendors issuing patches. For those contestants who remain in the contest, they have three attempts within their allotted 30-minute timeslot to demonstrate their exploit.
At the end of it all, Pwn2Own helps us make the cyber world safer by working with any affected vendors to make sure they have the vulnerability and exploit information they need to issue a patch. In turn, we will provide protection for our customers until the affected vendors can build and release a patch, and maintenance windows can be scheduled for impacted systems to be remedied.
Keep following this post for updates on our upcoming Digital Vaccine coverage for the vulnerabilities discovered during Pwn2Own 2018! You can also get up to the minute coverage of the Pwn2Own contest by following the Zero Day Initiative on Twitter at @thezdi.
Upcoming coverage for the vulnerabilities discovered at Pwn2Own is listed below. Any items listed in the Upcoming Digital Vaccine Coverage column with an asterisk (*) are vulnerabilities that can only be exploited at a local level.
Day 1: March 14, 2018
| Time (PDT) | Team | Target | Successful? | Upcoming Digital Vaccine Coverage? |
| 10:00am | Richard Zhu (fluorescence) | Apple Safari with a sandbox escape | No | Yes ZDI-CAN-5812 ZDI-CAN-5813* |
| 12:00pm | Richard Zhu (fluorescence) | Microsoft Edge with a Windows kernel Escalation of Privilege | Yes | Yes ZDI-CAN-5814 ZDI-CAN-5815 ZDI-CAN-5816* |
| 2:00pm | Niklas Baumstark (_niklasb) | Oracle VirtualBox | Partial Win | ZDI-CAN-5817* ZDI-CAN-5818* |
| 4:00pm | Samuel Groß (saelo) | Apple Safari with a macOS kernel Escalation of Privilege |
The post A View of Upcoming Threat Coverage from Pwn2Own 2018 appeared first on .