Slashdot Mirror
Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable (tomshardware.com)
At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.
...it's hideous how it tracks you.
I don't have anywhere close to this unnerving tracking with Safari or Firefox.
You're running a browser created by the same organization who has essentially indexed our digital universe, and turned that into a multi-billion dollar empire.
At this point, shareholders practically demand perpetuating "hideous" activity.
The irony here is Chrome users feel more secure than ever.
Yes, how dare they test things in the default configuration that only 99% of users will be using.
Interesting how well-known issues such as use-after-free, heap overflow, type confusion, and uninitialized memory are still common attack vectors.
Seems to support the arguments for efficient, type-safe languages such as Rust.
You shouldn't have to turn off ads on your fucking computer, there should be no ads.
US intelligence is already shitting their pants over the "failure of the last decade" if you wanted the last C-SPAN Senate hearing about the Russian/Trump thing. Seriously, watch it. It's pretty insightful (a thousand times more depth than the shit headlines CNN/MSNBC/et al are running.)