Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable (tomshardware.com)

Posted by BeauHD on from the better-luck-next-time dept.

At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.

16 of 147 comments (clear)

  1. Windows and Edge security by Anonymous Coward · · Score: 5, Informative

    are an oxymoron.

  2. Um, Edge is more secure than Chrome... by Biogoly · · Score: 5, Funny

    Or are going to tell me those Windows 10 pop-ups are lying? Hmmm?

  3. But, but. . . by quonset · · Score: 4, Funny

    It gives your laptop better battery life!

  4. Re:I use chrome by 110010001000 · · Score: 4, Informative

    Why are you running Chrome without an adblocker? I really don't understand people. Use an adblocker, always. Use Ghostery if you are worried about tracking.

  5. Re:Firefox? by Anonymous Coward · · Score: 5, Funny

    The Firefox target host ran out of RAM and crashed before it could be p0wned.

  6. Re:do they ever test secure configurations? by gweilo8888 · · Score: 4, Insightful

    Yes, how dare they test things in the default configuration that only 99% of users will be using.

  7. Bugs du jour by nuntius · · Score: 5, Insightful

    Interesting how well-known issues such as use-after-free, heap overflow, type confusion, and uninitialized memory are still common attack vectors.

    Seems to support the arguments for efficient, type-safe languages such as Rust.

    1. Re:Bugs du jour by AmiMoJo · · Score: 5, Interesting

      Chrome is mostly C, and it's the only one that didn't get hacked. Relying on type-safe languages doesn't seem to be as important as designing your app to be secure from the ground up.

      Chrome is actually a pretty impressive bit of engineering. It's extremely secure, but also extremely fast. It takes unchecked, often malicious data as an input and safely and quickly displays it. There is even a high performance scripting language built in. Apparently this is quite a hard thing to do as well, since everyone else keeps failing at it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  8. Chinese? by speedplane · · Score: 4, Interesting

    Is it just me, or was every single winner in pwn2own asian? Here's the youtube video: https://www.youtube.com/watch?...

    It's not entirely clear what Asian country everyone is from (or perhaps they're Asian-American), but assuming none of them are from the U.S., it should make those in government U.S. cybersecurity a bit anxious, and perhaps give pause to our new-found love of immigration restrictions.

    --
    Fast Federal Court and I.T.C. updates
    1. Re:Chinese? by ckatko · · Score: 4, Insightful

      US intelligence is already shitting their pants over the "failure of the last decade" if you wanted the last C-SPAN Senate hearing about the Russian/Trump thing. Seriously, watch it. It's pretty insightful (a thousand times more depth than the shit headlines CNN/MSNBC/et al are running.)

    2. Re:Chinese? by jbmartin6 · · Score: 5, Interesting

      Tencent (3 of the winning teams) is a Chinese company, the dominant player in chat/communications in China. Owns both WeChat and QQ. Not surprising they would field a strong hacking team.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  9. Chome remained unhackable? by ColaMan · · Score: 5, Interesting

    Chrome might have remained unhackable.

    Or quite possibly people can get more money for their Chrome exploits elsewhere, so they naturally don't want to submit - and then lose - good exploits here in this competition.

    --

    You are in a twisty maze of processor lines, all alike.
    There is a lot of hype here.
    1. Re:Chome remained unhackable? by AmiMoJo · · Score: 5, Interesting

      Why couldn't they also claim the bug bounty? Google has a non-public submission process, so just submit your report a few days before the event to claim the bug bounty and then use it in the competition. Google aren't going to patch it in that time frame, and besides the version to be used is announced in advance.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  10. Re: LOL by Anonymous Coward · · Score: 4, Insightful

    You shouldn't have to turn off ads on your fucking computer, there should be no ads.

  11. There is a basic reason, Edge has no community by Ilgaz · · Score: 5, Interesting

    Edge isn't open source, it has no developer community, no user community like Firefox who will mercilessly bash it until it goes the right direction, no incentive to be secure.

      You can steal millions from Google with a basic, unpublished cookie hack as they are the largest advertising company on planet. So, they are damn careful about their code. Chromium which eventually ends up to be Chrome has its own community. Additionally, there is a huge privacy fanatic user community, developer community in Mozilla.

    Edge is a browser which comes with the OS, nothing else.

  12. Re:LOL by serviscope_minor · · Score: 4, Informative

    They've gotten so much better and are no longer truly evil,

    Yeah they are. They have less utter dominance of the PC market, so have less opportunity to be evil in a very public and mustache twirling way, but don't be fooled.

    Take for example SDXC and exFAT. exFAT is a not especially good and not innovative filesystem that exists for the sole purpose for Microsoft to have osme patents on it so they can engage in rent seeking. A great example is mnaging to somehow maniuplate the SD card forum into adopting it so the only compliant cards must use it.

    It's a transparent attempt at both rent seeking and blocking open source software.

    --
    SJW n. One who posts facts.