Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable (tomshardware.com)

Posted by BeauHD on from the better-luck-next-time dept.

At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.

6 of 147 comments (clear)

  1. Um, Edge is more secure than Chrome... by Biogoly · · Score: 5, Funny

    Or are going to tell me those Windows 10 pop-ups are lying? Hmmm?

    1. Re: Um, Edge is more secure than Chrome... by Anonymous Coward · · Score: 3, Funny

      I use chrome on Windows so I get the best possible ad experience, since both Microsoft and google get my preferences that way, instead of just one megacompany.

  2. But, but. . . by quonset · · Score: 4, Funny

    It gives your laptop better battery life!

  3. Re:Firefox? by Anonymous Coward · · Score: 5, Funny

    The Firefox target host ran out of RAM and crashed before it could be p0wned.

  4. Here come all of the Indians hired to to do PR by marcgvky · · Score: 2, Funny

    And the bulk of comments will be that Microsoft is so wonderful, in spite of the mega-awful flaws.... we love it! Right?

    1. Re: Here come all of the Indians hired to to do PR by Anonymous Coward · · Score: 0, Funny

      Great shilling, Pajeet! 2 rupees have been deposited into your loo.