Mozilla Firefox, Microsoft Edge, Safari, Virtualbox, VMware hacked in 2 days of Pwn2Own 2019

• The Fluoroacetate team consisting of researchers Amat Cama and Richard Zhu successfully exploited Safari, Virtualbox, and VMware and earned a total of $160,000.
• In the next 2 days of the competition, KunnaPwn team and Fluoroacetate team will target the Telsa Model 3 vehicle in the automotive category.

On the first day of Pwn2Own Vancouver 2019, researchers successfully exploited Apple’s web browser Safari, Oracle's Virtualbox, and VMware. On the second day of Pwn2Own, researchers managed to exploit Mozilla Firefox and Microsoft Edge.

Winners of the first day

• The Fluoroacetate team consisting of researchers Amat Cama and Richard Zhu successfully exploited Safari, Virtualbox, and VMware and earned a total of $160,000.
• STAR Labs managed to exploit Virtualbox and earned $35,000.
• The phoenhex & qwerty team exploited Apple’s Safari which earned them $45,000.

Winners of the second day

• On the second day, the Fluoroacetate team targeted Mozilla Firefox by leveraging a bug in JIT along with an out-of-bounds write in the Windows kernel. This earned the team $50,000.
• The same team exploited Microsoft Edge by using a combination of a type confusion in Edge, a race condition in the kernel, and finally, an out-of-bounds write in VMware. This earned them a whopping $ 130,000.
• A security researcher named Niklas Baumstark targeted Mozilla Firefox with a sandbox escape in the web browser category and earned $40,000.
• Another security researcher of Exodus Intelligence, Arthur Gerkis exploited Microsoft Edge with a sandbox escape in the web browser category and earned $50,000.

Worth noting - In the next 2 days of the competition, KunnaPwn team and Fluoroacetate team will target the VCSEC component and the Chromium-based infotainment system of a Tesla Model 3 vehicle in the automotive category.

“Prizes range from $35,000 to $300,000 depending on a variety of factors including the exploit used. And the first successful researcher can also drive off in their own brand new Model 3 after the competition ends,” the contest organizers said.

Update - On the second day, Fluoroacetate team successfully exploited the web browser in the Tesla Model 3 entertainment system and won a Tesal Model 3 as the prize.