The three major desktop operating systems were successfully compromised at this year’s Vancouver Pwn2Own hacking contest.
On day 1, macOS’ security was defeated by @Synactiv with a TOCTOU exploit resulting in escalated privileges. @Synactiv was also successfully at hacking a Tesla with yet another TOCTOU earning a Tesla Model 3.
Speaking of privilege escalations, Marcin WiÄ…zowski was able to do so on Windows 11 via an improper input bug. On day 2, @Synactiv was able to escalate privileges on Ubuntu Desktop with incorrect pointer scaling.
For more information on the contest, please see the Zero Day Initiative’s official site and blog covering the event.
The exploits all mentioned are all zero-day vulnerabilities which means that they are weaknesses in the operating systems that were previously unknown and not addressed by the respective vendors. Fully patched systems in this situation do not necessarily have the protections needed to protect against these scenarios which highlights how dangerous these vulnerabilities really are.
Regardless, it is still a best practice to keep your systems up-to-date with updates and using the newest versions of the operating system where possible; especially in the case of macOS. Apple last year released documentation admitting to only keeping their latest OS (macOS Ventura at the time of this writing) up-to-date rather than adhering to the n-2 model that admins and power-users alike have observed.