I-Pwn2Own 2020 yalethwe ku-inthanethi ngenxa yeCovid-19 futhi ama-hacks akhonjiswa i-Ubuntu, Virtualbox nokuningi

Darkcrizt

Imizuzu ye-4

I-Pwn2Own ingumncintiswano wokugenca ebanjwa minyaka yonke engqungqutheleni yezokuphepha yeCanSecWest, eqala ngo-2007. Ababambiqhaza babhekene nenselelo yokusebenzisa kabi amasoftware namaselula isetshenziswa kabanzi ngobungozi obungaziwa kuze kube manje.

Abaphumelele emncintiswaneni bathola izinto abazisebenzisile, umklomelo wemali kanye ne- “MastersUkugubha unyaka wokunqoba kwakhe. Igama elithi "Pwn2Own" lisuselwa kokuthi ababambiqhaza kumele "babambe" noma bagenge idivayisi ukuze "babe ngabanikazi" noma bayinqobe.

Umncintiswano I-Pwn2Own isetshenziselwa ukukhombisa ukuba sengozini kwamadivayisi ne-software esetshenziswa kakhulu futhi ibuye inikeze indawo yokuhlola inqubekela phambili eyenziwe kwezokuphepha kusukela ngonyaka owedlule.

Mayelana nePwn2Own 2020

Kulolu hlobo olusha lwe-Pwn2Own 2020, kulo nyaka imincintiswano ibibanjwa cishe futhi ukuhlaselwa kuboniswe ku-inthanethi, ngenxa yezinkinga ezikhiqizwe ukusabalala kweCornonavirus (Covid-19), kube okokuqala umhleli wakho IZero Day Initiative (ZDI), banqume ukuhlela umcimbi ukuvumela ababambiqhaza ukuthi bakhombise ukude ukuxhaphaza kwakhe.

Ngesikhathi somncintiswano kwethulwe izindlela ezahlukahlukene zomsebenzi zokusebenzisa ubungozi ebingaziwa phambilini ku-Ubuntu Desktop (I-Linux kernel), I-Windows, i-MacOS, i-Safari, i-VirtualBox ne-Adobe Reader.

Inani eliphelele lokukhokha lifinyelele kumadola ayizinkulungwane ezingama-270 (Isamba semali ephelele sasingaphezu kuka-US $ 4 million).

Ngokufingqa, imiphumela yezinsuku ezimbili zomncintiswano I-Pwn2Own 2020 ebanjwa minyaka yonke engqungqutheleni yeCanSecWest imi kanje:

    • Ngosuku lokuqala lwe-Pwn2Own 2020, iqembu elivela eGeorgia Software and Security Lab Izinhlelo Zobuchwepheshe (@SSLab_Gatech) Ukugenca kweSafari ngezinga lokukhuphuka kwelungelo le-macOS kernel bese uqala umshini wokubala ngamalungelo empande. Uchungechunge lokuhlasela lwalubandakanya ukuba sengozini okuyisithupha futhi lwavumela iqembu ukuthi lithole u- $ 70,000.
    • Ngesikhathi somcimbi UManfred Paul ovela ku- "RedRocket" ubephethe ukukhombisa ukukhuphuka kwamalungelo endawo ku-Ubuntu Desktop ngokusebenzisa ukuxhashazwa kobungozi ku-kernel ye-Linux ehambisana nokuqinisekiswa okungalungile kwamanani wokufaka. Lokhu kuholele ekutheni athole umklomelo wama- $ 30.
    • Tambien ukuboniswa kokuphuma kwendawo yezivakashi ku-VirtualBox nokwenza ikhodi ngamalungelo we-hypervisor kwenziwaNgokusebenzisa ubungozi obubili: amandla okufunda idatha kusuka endaweni engaphandle kwesibambi esabiwe nephutha lapho usebenza ngokuguquguquka okungakaqalwa, umklomelo wokufakazela leli phutha wawungu- $ 40. Ngaphandle komncintiswano, abamele iZero Day Initiative baphinde babonisa elinye iqhinga le-VirtualBox, elivumela ukufinyelela ohlelweni lokusingathwa ngokusebenzisa ubuqili endaweni yezivakashi.

  • Imiboniso emibili ye- ukukhuphuka kwelungelo lendawo kuWindows ngokusebenzisa ubungozi okuholela ekufinyeleleni endaweni yememori esivele ikhululiwe, ngalemiklomelo emibili yama-dollar ayizinkulungwane ezingama-40 ngamunye wanikezwa.
  • Thola ukufinyelela komlawuli kuWindows lapho uvula idokhumenti ye-PDF yakhelwe ngokukhethekile ku-Adobe Reader. Lokhu kuhlaselwa kufaka ukukhubazeka ku-Acrobat naku-Windows kernel ehlobene nokufinyelela ezindaweni zememori esezikhululiwe (umklomelo ka- $ 50).

Ukuphakanyiswa okusele okungafunwanga kudluliselwe ukugenca i-Chrome, Firefox, Edge, Microsoft Hyper-V Client, Microsoft Office, neMicrosoft Windows RDP.

Kwenziwe umzamo wokugenca i-VMware Workstation, kepha lo mzamo awuphumelelanga. Njengakunyaka owedlule, ukugqekezelwa kwamaphrojekthi amaningi avulekile (i-nginx, i-OpenSSL, i-Apache httpd) akuzange kungene ezigabeni zemiklomelo.

Ngokwehlukana, singabheka inkinga yokugenca izinhlelo zemininingwane yemoto yakwaTesla.

Kwakungekho mizamo yokugenca uTesla emncintiswaneni.a, ngaphandle kwephrimiyamu ephezulu yama- $ 700 ayizinkulungwane, kepha bekukhona imininingwane ehlukile mayelana nokutholwa kobungozi be-DoS (CVE-2020-10558) kuTesla Model 3, evumela ukukhubaza ikhasi elenzelwe ngokukhethekile kuzaziso ezakhelwe ngaphakathi zesiphequluli futhi liphazamise ukusebenza kwezinto ezinjenge-speedometer, i-navigator, i-air conditioning, i-navigation system, njll.

Umthombo: https://www.thezdi.com/


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.