- Apr 24, 2016
During the weekend of 16-17 October, Chinese hackers went on something of a rampage that saw all but three of the 15 target products breached during the exploit onslaught that was the Tianfu Cup. This annual competition, held in the Sichuan province of Chengdu, has been the go-to for China's elite hackers since they were banned from participating in similar competitive hacking events outside of the country. The biggest and best known of these, Pwn2Own, is due to take place in Austin, Texas, 2-5 November, and I will be reporting on that next weekend when the results are known.
In the meantime, what of the massive Tianfu Cup cybersecurity onslaught? Well, I've already reported how the iPhone 13 Pro, running a fully patched (at the time) version of iOS 15.0.2, was breached not once but twice. The zero-day vulnerabilities, exploited by the Kunlun Lab and Team Pangu in a matter of seconds on the day, saw a remote code execution attack and the first iOS 15 jailbreak.
As well as the attacks on Apple iOS and Safari, there were a whole host of other victims. These included Microsoft, which saw five successful exploits involving the Windows 10 operating system, one impacting Microsoft Exchange, and Google, which saw Chrome fall on the security sword twice. But the list is far from over: Adobe PDF, the Asus AX56U router, Docker CE, Parallels VM, QEMA VM, Ubuntu 20, VMware ESXi and Workstation were also successfully hacked.
Full details of the vulnerabilities exploited and the exploits themselves will filter into the public domain in the coming months. Meanwhile, full disclosure of the security flaws would have been immediately made to all the affected vendors.
Which vendors have already released Tianfu Cup security fixes?
I reached out to all the vendors whose products fell to exploits during the Tianfu Cup weekend, requesting a statement regarding patching timelines for the vulnerabilities concerned. Unfortunately, the response has, if I'm honest, been very disappointing indeed.
A Microsoft spokesperson told me that "all vulnerabilities reported as part of the contest are disclosed responsibly and confidentially. Solutions to verified security issues that meet our criteria for immediate servicing are normally released via our monthly Update Tuesday cadence." So, without confirming as much specifically, there is some hope that patches for the Windows 10 and Microsoft Exchange vulnerabilities on Tuesday, 9 November.
Google didn't provide a statement but did confirm for background purposes that it will roll out any patches required once issues are investigated thoroughly. However, according to Google's security blog it would appear that the two vulnerabilities exploited during the Tianfu Cup have been fixed in Chrome 95.0.4638.69, which started rolling out on Thursday, 28 October.
The only other vendor that responded to my request for more information at the time of publication was Red Hat regarding a vulnerability in the QEMA VM. Unfortunately, the Red Hat security had nothing that could be shared with me.
I will, of course, update this article if and when I hear anything from the remaining vendors, which are Adobe, Apple, Asus, Canonical, Docker, Parallels and VMware. In the meantime, my advice is to keep an eye out for security updates and apply them as soon as you can if you are a user of Adobe PDF, Apple iOS and Safari, Asus AX56U router, Docker CE, Microsoft Exchange and Windows 10, Parallels VM, QEMA VM, Ubuntu 20 or VMware ESXi and Workstation.