There was a time when we believed there was such a thing as secure and insecure software, but the yearly Pwn2Own hacker event has long disabused us of that notion.

These days it is merely software that has been hacked, or which is yet to be hacked.

On the first day of Pwn2Own Vancouver 2022 Windows 11 and Microsoft Teams joined the hack list using a number of zero-day and chained exploits.

Windows 11

STAR Labs demonstrated a privilege escalation vulnerability in Windows 11 using a Use-After-Free weakness, earning $40,000, and earned another $40,000 by achieving privilege escalation on Oracle Virtualbox.

Marcin Wiązowski of Team Orca of Sea Security, and Keith Yeo demonstrated more zero-days in Windows 11.

Microsoft Teams

In the enterprise communications category Hector Peralta exploited an improper configuration flaw in Microsoft Teams, earning $150,000.

The STAR Labs team (Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan, and Nguyễn Hoàng Thạch)  earned another $150,000 by demonstrating a zero-click exploit chain of 2 bugs (injection and arbitrary file write).

Lastly, Masato Kinugawa earned another $150,000 for exploiting a 3-bug chain of injection, misconfiguration, and sandbox escape.

Microsoft now has 90 days to develop and release security fixes for all reported exploits before they are publicly released.

Hacks for Apple Safari, Mozilla Firefox and Ubuntu Desktop were also demonstrated, with the teams exploiting 16 zero-day bugs to hack multiple products, earning $800,000 in prizes.

On day 2 hackers will be taking on Tesla’s infotainment system, for a total of more than $1 million in prizes.