Slashdot Mirror
Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable (tomshardware.com)
At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.
are an oxymoron.
The Chakra JavaScript engine is like an Indian with diarrhea.
So I've learned to live it. I run it on a mac. I suspect it's infected somehow. I've removed all the non-google extensions but still it seems like when I click on images I get pop-unders. SO I think something is editing my html on the fly.
Now it's sort of hard to tell if this is some virus I picked up that's now embedded in my instance of chrome or if this is just the normal behviour of a sucky broweser.
That is to say this doesn't happen in firefox or chrome because they are good at blocking this sort of crud. Chrome isn't.
Chrome is also very CPU hungry. It hasically uses an 110% CPU on a quad core Rspberry pi3, and puts the load at 2, when it's doing absolutely nothing.
But the main reason to hate chrome is, like people say about cell phones, it's a tracking device that also lets you browse. Every time I use this thing all my ads are riveting accurately targeted. When I dump the HTML to see what's on the page, no matter how random a website I choose I always find my google e-mail address embedded in it. If I log out of google, in hopes of not being tracked, then dump pages I always find some family member or myself in the HTML.
it's hideous how it tracks you.
I don't have anywhere close to this unnerving tracking with Safari or Firefox.
Some drink at the fountain of knowledge. Others just gargle.
... they could port all the C code to Pascal/Delphi and be safe ! LOL.
Or are going to tell me those Windows 10 pop-ups are lying? Hmmm?
It gives your laptop better battery life!
an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well
Nobody who gives the first shit about online security is running javascript by default.
They should test realistic configurations. Javascript disabled, adblock, umatrix, etc. Then let us know what problems are remaining.
We know javascript drastically increases the attack surface. We've been seeing those exploits every single day for many years.
cause ill post one of 3 i have just to show you we whoever we are dont want to tell you, your cia and fbi likely already know them why should we tell you
Are they stupid or what?
What do you expect? A new(ish) browser with a small market share = tons of bugs, unimplemented things and security flaws. I'm no fan of their work, but it needs to be put in perspective a bit.
What else is there to say?
Mimetics Inc. Twitter
I'm hoping the teams have prepared for weeks or months and they didn't just find these bugs from scratch, meaning they or anyone else could do the same tomorrow.
Does anyone have the results for Ff? Was it included?
The article stated that there was only one hack attempt against Chrome and the time ran out before it could succeed. It's not more secure it just didn't get that much attention. It's more accurate to say that the other browsers (particularly Edge) had exploits known to them and it was more profitable to go at what they believed to be the softer target.
Google's Chrome browser, on the other hand, remained unhackable during the contest.
Unfortunately for me, I can't accept Chrome's EULA.
It incorporates Adobe's, which (if I recall correctly from my AT&T Android-based smartphone) has several clauses I can't abide - including a never-compete, don't block updates, don't work on circumvention tools, we can change the license without notice, ...
I don't intend to do anything that might come back to limit my future software work or employability. Clicking through such a license (even if every bit of it is struck down by the courts - which I'm not holding my breath expecting), especially on a device that "phones home" in a way that is easily identified with my true name, is an invitation for an all-versus-one gladiatorial match with two multibillion-dollar corporations' legal departments.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Interesting how well-known issues such as use-after-free, heap overflow, type confusion, and uninitialized memory are still common attack vectors.
Seems to support the arguments for efficient, type-safe languages such as Rust.
Don't forget how Netscape lost its battle, thanks to despicable Microsoft.
And the bulk of comments will be that Microsoft is so wonderful, in spite of the mega-awful flaws.... we love it! Right?
Is it just me, or was every single winner in pwn2own asian? Here's the youtube video: https://www.youtube.com/watch?...
It's not entirely clear what Asian country everyone is from (or perhaps they're Asian-American), but assuming none of them are from the U.S., it should make those in government U.S. cybersecurity a bit anxious, and perhaps give pause to our new-found love of immigration restrictions.
Fast Federal Court and I.T.C. updates
And I hate Google rattling my cage on a daily basis after I have said "NO THANKS !!!!!!!!!!!!!" about 10 thousand times.
But hey, it is no surprise that Edge got hacked more often, simply because it has not had the time to become hardened like Chrome has.
Recently I switched to Opera because it runs nicely on Ubuntu and Windows 10, and I have to say that I really like it. The sync across platforms is awesome and it is faaaaaaast.
Chrome might have remained unhackable.
Or quite possibly people can get more money for their Chrome exploits elsewhere, so they naturally don't want to submit - and then lose - good exploits here in this competition.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
If it has a name like "Chakra", it's bound to have been written by pooinloo Indians renowned for their shitty code full of security holes. Never trust or hire a Pajeet.
That something from Microsoft is an insecure PoS is not news - it is business as usual. Consider yourself middle-fingered, Microsoft.
Class action over the "Edge is the most secure browser" popups in Win 10?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
The teams didn't just decide that morning "hey let's compete in Pwn2Own today". They prepared months in advance, testing all the browsers to see what they could do. Perhaps a month or two before the event, they decided which browser they had the best exploits for, the browser they would focus on during the actual competition.
All the teams but one learned from their testing that they wouldn't be able to hack Chrome. One team thought it was their best chance and that team failed.
Edge isn't open source, it has no developer community, no user community like Firefox who will mercilessly bash it until it goes the right direction, no incentive to be secure.
You can steal millions from Google with a basic, unpublished cookie hack as they are the largest advertising company on planet. So, they are damn careful about their code. Chromium which eventually ends up to be Chrome has its own community. Additionally, there is a huge privacy fanatic user community, developer community in Mozilla.
Edge is a browser which comes with the OS, nothing else.
Calling something unhackable but not mentioning the contest parameters is basically advertising for Chrome. Chrome is not unhackable and a lot of people may read only the title and download Chrome over it. The last thing we need is to feed the Chrome user ego. Chrome phones home to google constantly. I'm sure there's a non zero day exploit out there, especially when so many people use it. It wouldn't make since as a hacker to not target it otherwise. Bad title.
I've said it before at my office, leave it to Microsoft to make a web browser that is worse than Internet Explorer.
See subject & APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
Ads/script & malware rob speed/security/privacy
Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!
Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!
* Via what u NATIVELY have built into the IP stack in FASTER kernelmode!
APK
P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/
$105K for 3 zero days for the VMWare escape sounds hideously low. I bet those guys could get 10x that amount 'somewhere else'.
If you install a completely not blocked at all malware add on to Chrome as an extension, it will not only remain unblocked because Google doesn't give a shit but it will also automatically propogate itself or at least its settings to all your other devices that run Chrome. Isn't that convenient!
Given their interest in security and privacy, I'd say this is a significant fact.
The iron fist of congress calls those in computer science who stray "terrorists." This country deserves no hackers.
https://en.wikipedia.org/wiki/Aaron_Swartz
https://en.wikipedia.org/wiki/Kevin_Mitnick
https://en.wikipedia.org/wiki/Randal_L._Schwartz
The list is already too long.
Just saying
ReqeustPolicy allows fine grained control of every external request.
How lame
I saw a fully patched, up-to-date machine get rooted via Chrome from a malicious website not two months ago.
Run it in a sandbox.
Run all browsers in a sandbox, even if they say they already have one built in.
See subject: Where folks spend most time online hardcoded fav sites @ top of hosts cached in local system RAM = fastest stupid!
* Even faster than traversing a LOCAL LAN for DNS (full of security holes galore & this is ONLY PARTIAL https://news.slashdot.org/comments.pl?sid=9007355&threshold=-1&commentsort=0&mode=thread&pid=51969075/ let alone REMOTE DNS (full of security issues shown in that link).
APK
P.S.=> So, after shutting your dumb ass down SO easily, what do YOU have to gain Mr. Advertiser/malwaremaker-botnet herder OR inferior inefficient competitor? Nothing - you just lose on facts... apk
See my subject & https://tech.slashdot.org/comments.pl?sid=10392077&cid=54094565/ & yes my program generates them.
APK
P.S.=> A good 96++% of the time hosts ARE faster & safer (as well as more reliable) than DNS (especially remote with all its security issues galore) stupid... apk
Additionally by avoiding DNS security issues, I avoid TRACKING it allows via my program (by avoiding DNS) http://www.theregister.co.uk/2017/03/21/dns_records_more_revealing_than_you_think_says_german_boffin/
* It also, as a bonus, LIGHTENS DNS LOAD (& dns goes down QUITE A LOT)...
APK
P.S.=> Hilarious - you CAN'T WIN against truth & hard verifiable concrete undeniable facts - especially these regarding 100's of SECURITY ISSUES in DNS my program avoids (& goes faster out of local system RAM too for resolution for where users spend MOST TIME online) https://news.slashdot.org/comments.pl?sid=9007355&threshold=-1&commentsort=0&mode=thread&pid=51969075/ as well as DNS inefficiency issues... apk
I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell
his hosts program is actually pretty good by xenotransplant
I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon
take a look at the APK hosts file engine by SuperKendall
APK is kinda right. I've tried his hosts file generating software. It works by bmo
I like your host file system by Karmashock
I find your hosts file admirable by vel-ex-tech
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg
* Recommended & hosted by Malwarebytes' hpHosts!
APK
P.S.=> Adblock does ZERO vs. DNS issues & uses more by far, doing less + is sold out to not work by default on ALL ads & is slower... apk
So Chrome is probably more secure, but obviously less concerned about privacy. Edge to me is a OK browser but even if nobody was able to hack it, I doubt that all of a sudden everyone would switch to it. There is far more basic reasons people use a certain browser that being most secure or includes better privacy protection. After all Firefox claims it protects users privacy better, but their dwindling user base has obviously not been helped by this claim. Nor has the sketchy privacy policies hurt Google's Chrome browser become the top browser by huge numbers. IE was another example of being very popular for years, even though it was constantly riddled with attacks and exploits. Picking a browser is probably more mundane and involves running on many operating systems, a good syncing ability and compatibility with web sites. Does anyone really give a shit about battery life? Obviously not many, which is why I never understood Microsoft sales pitch about Edge.