Slashdot Mirror
Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable (tomshardware.com)
At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.
are an oxymoron.
... they could port all the C code to Pascal/Delphi and be safe ! LOL.
Or are going to tell me those Windows 10 pop-ups are lying? Hmmm?
It gives your laptop better battery life!
an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well
Nobody who gives the first shit about online security is running javascript by default.
They should test realistic configurations. Javascript disabled, adblock, umatrix, etc. Then let us know what problems are remaining.
We know javascript drastically increases the attack surface. We've been seeing those exploits every single day for many years.
cause ill post one of 3 i have just to show you we whoever we are dont want to tell you, your cia and fbi likely already know them why should we tell you
Are they stupid or what?
Why are you running Chrome without an adblocker? I really don't understand people. Use an adblocker, always. Use Ghostery if you are worried about tracking.
...it's hideous how it tracks you.
I don't have anywhere close to this unnerving tracking with Safari or Firefox.
You're running a browser created by the same organization who has essentially indexed our digital universe, and turned that into a multi-billion dollar empire.
At this point, shareholders practically demand perpetuating "hideous" activity.
The irony here is Chrome users feel more secure than ever.
What else is there to say?
Mimetics Inc. Twitter
I'm hoping the teams have prepared for weeks or months and they didn't just find these bugs from scratch, meaning they or anyone else could do the same tomorrow.
Does anyone have the results for Ff? Was it included?
Secure for their ads, not the users.
Domestic spying is now "Benign Information Gathering"
The article stated that there was only one hack attempt against Chrome and the time ran out before it could succeed. It's not more secure it just didn't get that much attention. It's more accurate to say that the other browsers (particularly Edge) had exploits known to them and it was more profitable to go at what they believed to be the softer target.
Google's Chrome browser, on the other hand, remained unhackable during the contest.
Unfortunately for me, I can't accept Chrome's EULA.
It incorporates Adobe's, which (if I recall correctly from my AT&T Android-based smartphone) has several clauses I can't abide - including a never-compete, don't block updates, don't work on circumvention tools, we can change the license without notice, ...
I don't intend to do anything that might come back to limit my future software work or employability. Clicking through such a license (even if every bit of it is struck down by the courts - which I'm not holding my breath expecting), especially on a device that "phones home" in a way that is easily identified with my true name, is an invitation for an all-versus-one gladiatorial match with two multibillion-dollar corporations' legal departments.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Interesting how well-known issues such as use-after-free, heap overflow, type confusion, and uninitialized memory are still common attack vectors.
Seems to support the arguments for efficient, type-safe languages such as Rust.
Don't forget how Netscape lost its battle, thanks to despicable Microsoft.
And the bulk of comments will be that Microsoft is so wonderful, in spite of the mega-awful flaws.... we love it! Right?
Is it just me, or was every single winner in pwn2own asian? Here's the youtube video: https://www.youtube.com/watch?...
It's not entirely clear what Asian country everyone is from (or perhaps they're Asian-American), but assuming none of them are from the U.S., it should make those in government U.S. cybersecurity a bit anxious, and perhaps give pause to our new-found love of immigration restrictions.
Fast Federal Court and I.T.C. updates
Or just use Opera, which is basically Chrome Stable (none of the bullshit blind A/B testing Google does on their "stable" branch that breaks shit), has built in ad blocker, and built in VPN. The best of all worlds!
And I hate Google rattling my cage on a daily basis after I have said "NO THANKS !!!!!!!!!!!!!" about 10 thousand times.
But hey, it is no surprise that Edge got hacked more often, simply because it has not had the time to become hardened like Chrome has.
Recently I switched to Opera because it runs nicely on Ubuntu and Windows 10, and I have to say that I really like it. The sync across platforms is awesome and it is faaaaaaast.
Chrome might have remained unhackable.
Or quite possibly people can get more money for their Chrome exploits elsewhere, so they naturally don't want to submit - and then lose - good exploits here in this competition.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
If it has a name like "Chakra", it's bound to have been written by pooinloo Indians renowned for their shitty code full of security holes. Never trust or hire a Pajeet.
That something from Microsoft is an insecure PoS is not news - it is business as usual. Consider yourself middle-fingered, Microsoft.
Class action over the "Edge is the most secure browser" popups in Win 10?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
You mean like the perspective they cast by popping up an "Edge is the most secure browser" message every time you click a Chrome or Firefox icon in Win 10?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
The teams didn't just decide that morning "hey let's compete in Pwn2Own today". They prepared months in advance, testing all the browsers to see what they could do. Perhaps a month or two before the event, they decided which browser they had the best exploits for, the browser they would focus on during the actual competition.
All the teams but one learned from their testing that they wouldn't be able to hack Chrome. One team thought it was their best chance and that team failed.
Edge isn't open source, it has no developer community, no user community like Firefox who will mercilessly bash it until it goes the right direction, no incentive to be secure.
You can steal millions from Google with a basic, unpublished cookie hack as they are the largest advertising company on planet. So, they are damn careful about their code. Chromium which eventually ends up to be Chrome has its own community. Additionally, there is a huge privacy fanatic user community, developer community in Mozilla.
Edge is a browser which comes with the OS, nothing else.
Calling something unhackable but not mentioning the contest parameters is basically advertising for Chrome. Chrome is not unhackable and a lot of people may read only the title and download Chrome over it. The last thing we need is to feed the Chrome user ego. Chrome phones home to google constantly. I'm sure there's a non zero day exploit out there, especially when so many people use it. It wouldn't make since as a hacker to not target it otherwise. Bad title.
How are you going to avoid tracking when every time you go to a url or change ip chrome sends information to 1e100.net. The browser has built in tracking.
Use Ghostery if you are worried about tracking.
And don't forget to disable ghostery's tracking.
If you look at all comments by user goombah99 ( 560566 ) it becomes clear that h/she is not trolling and has made several comments that were modded up. The fact that this post was modded down and tagged with TROLL most likely points to Google shills.
You mean like the perspective they cast by popping up an "Edge is the most secure browser" message every time you click a Chrome or Firefox icon in Win 10?
That doesn't happen though, but cool of you to say it does
Admit nothing. Deny Everything. Make Counter-accusations.
built in VPN
You mean built in connection to it's chinese overlords?
I've said it before at my office, leave it to Microsoft to make a web browser that is worse than Internet Explorer.
See subject & APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
Ads/script & malware rob speed/security/privacy
Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!
Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!
* Via what u NATIVELY have built into the IP stack in FASTER kernelmode!
APK
P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/
Do you have any evidence that Chrome tracks you if you disable the safe browsing and navigation assistance stuff?
I always ask the same question and never get any evidence. All I want is some proof that if you tell Chrome not to track you, it does anyway.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Oh, you've never seen it? I may have paraphrased, because the message is slightly different depending on which browser you're launching, but, well, it happens. In fact, it was reported here back in November.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
$105K for 3 zero days for the VMWare escape sounds hideously low. I bet those guys could get 10x that amount 'somewhere else'.
There's no reason to run a browser without AdBlock and ScriptSafe. That would be my minimum.
Maybe the other posts were updated by Firefox shills and this here is the true moderation deserved?
The great irony here is that a great many people not using chrome because it "tracks you" then turn around and use a single public dns resolver on their network.
Or maybe he sounds like an idiot who can't configure and use a browser properly, so no one wants to listen to his crap.
Perhaps it happens in Windows 10 with all the defaults turned on. No thinking person would set it up that way. I normally use FF and don't see that ad.
If you install a completely not blocked at all malware add on to Chrome as an extension, it will not only remain unblocked because Google doesn't give a shit but it will also automatically propogate itself or at least its settings to all your other devices that run Chrome. Isn't that convenient!
Given their interest in security and privacy, I'd say this is a significant fact.
The iron fist of congress calls those in computer science who stray "terrorists." This country deserves no hackers.
https://en.wikipedia.org/wiki/Aaron_Swartz
https://en.wikipedia.org/wiki/Kevin_Mitnick
https://en.wikipedia.org/wiki/Randal_L._Schwartz
The list is already too long.
Putting trust in corporations is stupid and trusting an advertising company (whose core business model is tracking people and building dossiers on them) to not track you is equally stupid. I don't have any evidence that they're tracking you, but you don't have any evidence that they're not and tracking you would fit their MO perfectly.
Do what you want -- nobody cares -- but there's nothing unreasonable about distrusting Google, even in the absence of hard evidence.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Where's APK when ya need him.
Just saying
ReqeustPolicy allows fine grained control of every external request.
How lame
Damn you!
You have no business using a computer if you don't know of any ways to solve that even if it were true.
I saw a fully patched, up-to-date machine get rooted via Chrome from a malicious website not two months ago.
Run it in a sandbox.
Run all browsers in a sandbox, even if they say they already have one built in.
I thought he was just disputing the "every time" comment, which clearly isn't "every time". If its happening every time, you're doing something wrong, like not setting a default browser.
See subject: Where folks spend most time online hardcoded fav sites @ top of hosts cached in local system RAM = fastest stupid!
* Even faster than traversing a LOCAL LAN for DNS (full of security holes galore & this is ONLY PARTIAL https://news.slashdot.org/comments.pl?sid=9007355&threshold=-1&commentsort=0&mode=thread&pid=51969075/ let alone REMOTE DNS (full of security issues shown in that link).
APK
P.S.=> So, after shutting your dumb ass down SO easily, what do YOU have to gain Mr. Advertiser/malwaremaker-botnet herder OR inferior inefficient competitor? Nothing - you just lose on facts... apk
See my subject & https://tech.slashdot.org/comments.pl?sid=10392077&cid=54094565/ & yes my program generates them.
APK
P.S.=> A good 96++% of the time hosts ARE faster & safer (as well as more reliable) than DNS (especially remote with all its security issues galore) stupid... apk
I have Win10 pro on my laptop, I've never seen a pop up from M$. I only used Edge long enough to install Chrome. My laptop is an older Lenovo R61 that never just sipped electrons anyway. Other than Chrome I haven't done any mods or disabled any services.
You could have read the rest of the thread before posting and found an example of exactly what I'm talking about, including a screenshot and a link to where it was reported here in November. That would have been a good alternative to making yourself look like a MS shill by claiming that, since it doesn't happen to you, it must not happen at all.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Why are you running Chrome without an adblocker? I really don't understand people. Use an adblocker, always. Use Ghostery if you are worried about tracking.
ghostery is sketchy these days especially. They do tracking and data mining themselves, plenty of alternatives to block scripts, beacons and so on so I agree with the point, I just don't like ghostery but in the past I didn't mind it. For adblockers ABP seems the popular although it gets circumvented by a lot of things plus they let "unobtrusive" stuff through and I prefer Ublock origin (except in palemoon)
Additionally by avoiding DNS security issues, I avoid TRACKING it allows via my program (by avoiding DNS) http://www.theregister.co.uk/2017/03/21/dns_records_more_revealing_than_you_think_says_german_boffin/
* It also, as a bonus, LIGHTENS DNS LOAD (& dns goes down QUITE A LOT)...
APK
P.S.=> Hilarious - you CAN'T WIN against truth & hard verifiable concrete undeniable facts - especially these regarding 100's of SECURITY ISSUES in DNS my program avoids (& goes faster out of local system RAM too for resolution for where users spend MOST TIME online) https://news.slashdot.org/comments.pl?sid=9007355&threshold=-1&commentsort=0&mode=thread&pid=51969075/ as well as DNS inefficiency issues... apk
I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell
his hosts program is actually pretty good by xenotransplant
I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon
take a look at the APK hosts file engine by SuperKendall
APK is kinda right. I've tried his hosts file generating software. It works by bmo
I like your host file system by Karmashock
I find your hosts file admirable by vel-ex-tech
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg
* Recommended & hosted by Malwarebytes' hpHosts!
APK
P.S.=> Adblock does ZERO vs. DNS issues & uses more by far, doing less + is sold out to not work by default on ALL ads & is slower... apk
So Chrome is probably more secure, but obviously less concerned about privacy. Edge to me is a OK browser but even if nobody was able to hack it, I doubt that all of a sudden everyone would switch to it. There is far more basic reasons people use a certain browser that being most secure or includes better privacy protection. After all Firefox claims it protects users privacy better, but their dwindling user base has obviously not been helped by this claim. Nor has the sketchy privacy policies hurt Google's Chrome browser become the top browser by huge numbers. IE was another example of being very popular for years, even though it was constantly riddled with attacks and exploits. Picking a browser is probably more mundane and involves running on many operating systems, a good syncing ability and compatibility with web sites. Does anyone really give a shit about battery life? Obviously not many, which is why I never understood Microsoft sales pitch about Edge.