Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable (tomshardware.com)

Posted by BeauHD on from the better-luck-next-time dept.

At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.

9 of 147 comments (clear)

  1. Windows and Edge security by Anonymous Coward · · Score: 5, Informative

    are an oxymoron.

  2. Um, Edge is more secure than Chrome... by Biogoly · · Score: 5, Funny

    Or are going to tell me those Windows 10 pop-ups are lying? Hmmm?

  3. Re:Firefox? by Anonymous Coward · · Score: 5, Funny

    The Firefox target host ran out of RAM and crashed before it could be p0wned.

  4. Bugs du jour by nuntius · · Score: 5, Insightful

    Interesting how well-known issues such as use-after-free, heap overflow, type confusion, and uninitialized memory are still common attack vectors.

    Seems to support the arguments for efficient, type-safe languages such as Rust.

    1. Re:Bugs du jour by AmiMoJo · · Score: 5, Interesting

      Chrome is mostly C, and it's the only one that didn't get hacked. Relying on type-safe languages doesn't seem to be as important as designing your app to be secure from the ground up.

      Chrome is actually a pretty impressive bit of engineering. It's extremely secure, but also extremely fast. It takes unchecked, often malicious data as an input and safely and quickly displays it. There is even a high performance scripting language built in. Apparently this is quite a hard thing to do as well, since everyone else keeps failing at it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. Chome remained unhackable? by ColaMan · · Score: 5, Interesting

    Chrome might have remained unhackable.

    Or quite possibly people can get more money for their Chrome exploits elsewhere, so they naturally don't want to submit - and then lose - good exploits here in this competition.

    --

    You are in a twisty maze of processor lines, all alike.
    There is a lot of hype here.
    1. Re:Chome remained unhackable? by AmiMoJo · · Score: 5, Interesting

      Why couldn't they also claim the bug bounty? Google has a non-public submission process, so just submit your report a few days before the event to claim the bug bounty and then use it in the competition. Google aren't going to patch it in that time frame, and besides the version to be used is announced in advance.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  6. There is a basic reason, Edge has no community by Ilgaz · · Score: 5, Interesting

    Edge isn't open source, it has no developer community, no user community like Firefox who will mercilessly bash it until it goes the right direction, no incentive to be secure.

      You can steal millions from Google with a basic, unpublished cookie hack as they are the largest advertising company on planet. So, they are damn careful about their code. Chromium which eventually ends up to be Chrome has its own community. Additionally, there is a huge privacy fanatic user community, developer community in Mozilla.

    Edge is a browser which comes with the OS, nothing else.

  7. Re:Chinese? by jbmartin6 · · Score: 5, Interesting

    Tencent (3 of the winning teams) is a Chinese company, the dominant player in chat/communications in China. Owns both WeChat and QQ. Not surprising they would field a strong hacking team.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.