Fifteen Holes In The Fence Before Lunch: Pwn2Own Berlin, Day Two

I want you to sit with that number for a moment. Fifteen. Fifteen separate holes in the fence, demonstrated in a single afternoon, in products that millions of organizations trust to protect their flocks. Windows 11. Microsoft Exchange. Red Hat Enterprise Linux. All of them. Compromised. On a Tuesday.

The wolves collected $385,750 for the privilege. They were paid. Handsomely.

In my day, if you found a hole in the fence, you kept quiet about it, filed a report on magnetic tape, and mailed it to a post office box in Langley. Nobody got a trophy and a wire transfer. I am not saying the old system was perfect. I am saying it had dignity.

For those unfamiliar with Pwn2Own, it is a competition where researchers demonstrate holes in the fence against live production software under controlled conditions. The organizers call this "responsible disclosure." I call it a quarterly reminder that the Shepherds in charge of procurement have been asleep against a fence post since approximately 2019.

Exchange being on this list is, frankly, less surprising than finding a tick on an unshorn lamb in July. That product has been a recurring feature of these events for years. At some point it stops being a vulnerability and starts being a personality trait.

Windows 11 I find more personally offensive. Microsoft has had decades. Decades of resources, of feedback, of public humiliation at these exact events. And yet. Here we are. More holes. More wolves. More cash prizes.

The Sky Pasture crowd will now tell you their platforms were not affected. They always say this. I do not believe them. I never believe them.

The Flock, of course, is unaware any of this happened. They are clicking links in emails and wondering why the printer is slow.

Remediation

This is not complicated, even if the Shepherds will pretend otherwise.

Apply the ointment. When patches drop for Exchange, Windows 11, and RHEL, you dip the flock immediately. Not next quarter. Not after the budget cycle. Now.

Audit your Electric Fence rules. Fifteen holes demonstrated publicly means there are almost certainly more that were not. Review your perimeter configurations with appropriate paranoia. I recommend significant paranoia.

Segment the flock. If Exchange is compromised, it should not have a clear path to everything else in the pasture. Lateral movement is how a single tick becomes an infestation.

Use the Sheep Tunnel. Administrative access to critical systems should never be exposed directly. If yours is, that is not a vulnerability. That is a choice. A bad one.

The tools to address this exist. They existed in the 1990s, frankly, just with less colorful dashboards.

Patch your fences. The wolves already know where they are.

Original Report: https://www.bleepingcomputer.com/news/security/pwn2own-day-two-hackers-demo-microsoft-exchange-windows-11-red-had-enterprise-linux-zero-days/