Pwn2Own is a hacking contest held annually at the CanSecWest security conference, where contestants try to exploit popular software and mobile devices with previously unknown vulnerabilities.
At the last edition of Pwn2Own, Microsoft's browser proved a little too hard to beat, far better than Internet Explorer and Safari, while Chrome was only partially hacked.
But come 2017, Microsoft seems to have lost its edge, as things got worst for Edge; the browser was hacked not less than five times.
With the most impressive exploit, and also a first for Pwn2Own, wrought by a security team from “360 Security” - virtual machine escape through an Edge flaw, leveraging on a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape.
There was just one attempt to hack Chrome, but the Tencent Security Team Sniper couldn’t get the attack to work in the allotted time.
And two attempts were made against Mozilla’s browser, Firefox during the contest, but only one succeeded through an integer overflow in Firefox and an uninitialized buffer in the Windows kernel to elevate system privileges.
Other major browsers like Safari, got hit on first attack using three logic bugs in the browser and a null pointer dereference to elevate privileges in macOS. However, it was awarded only a partial prize ($28,000) because the UAF bug had already been fixed in the beta version of Safari.
In the meantime, Chrome remains the undisputed champion in browser security, albeit perhaps, Google already discovered the bug and fixed it before the contest, making it impossible for the exploit to succeed.
Sign up here with your email