Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Microsoft The Internet Communications Operating Systems Privacy Security Software

Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable (tomshardware.com) 147

At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.
This discussion has been archived. No new comments can be posted.

Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable

Comments Filter:
  • by Anonymous Coward on Tuesday March 21, 2017 @07:51PM (#54085531)

    are an oxymoron.

  • by Biogoly ( 2026888 ) on Tuesday March 21, 2017 @08:09PM (#54085603)
    Or are going to tell me those Windows 10 pop-ups are lying? Hmmm?
  • by quonset ( 4839537 ) on Tuesday March 21, 2017 @08:16PM (#54085623)

    It gives your laptop better battery life!

    • That's probably true. It's so bereft of features that it probably does take a lot less clock cycles. But then again, if that's the only argument, then Links is probably the hands down best winner, or maybe "telnet wherever.com 80"!

      Microsoft's proclamations about the wonders of its products are beginning to resemble those satirical Monty Python faux-ads about Crelm Toothpaste.

    • by Anonymous Coward

      Battery life was a legit beef with Chrome - Chrome had gotten pretty lazy about policing it's processes and tended to let bad javascript/video decoding/etc run unchecked. Modern laptops are efficient but they'll chew up your battery if chrome demands all your cores/threads run full tilt.

      Last few versions of Chrome have gone a long way to tamp down on obvious waste and upcoming features will sleep/suspend unused tabs by default.

    • I think it's fair to say it "gave" you better battery life.

    • by Zaatxe ( 939368 )
      But does it have electrolytes?
    • by AmiMoJo ( 196126 )

      Malware must be getting more efficient.

  • What else is there to say?

    • What else is there to say?

      I'm starting to feel bad for MS these days. They've gotten so much better and are no longer truly evil, but just can't win.

      • I have Onedrive ads popping up on one of my computers every time a File save dialog opens. Microsoft is the same evil, dirty player it ever was. It just doesn't have penetration on the biggest growth platform, so it's position is more vulnerable.

      • Re:LOL (Score:5, Informative)

        by serviscope_minor ( 664417 ) on Wednesday March 22, 2017 @03:20AM (#54086511) Journal

        They've gotten so much better and are no longer truly evil,

        Yeah they are. They have less utter dominance of the PC market, so have less opportunity to be evil in a very public and mustache twirling way, but don't be fooled.

        Take for example SDXC and exFAT. exFAT is a not especially good and not innovative filesystem that exists for the sole purpose for Microsoft to have osme patents on it so they can engage in rent seeking. A great example is mnaging to somehow maniuplate the SD card forum into adopting it so the only compliant cards must use it.

        It's a transparent attempt at both rent seeking and blocking open source software.

  • Does anyone have the results for Ff? Was it included?
    • No matter; it was in the article. (blush) "Firefox" "Firefox was back at this year’s Pwn2Own after missing last year, seemingly because the browser would’ve been too easy to hack. Things have changed a little since then, though; Firefox has gained some partial sandboxing capabilities. Two hacking attempts were made against Mozilla’s browser during the contest. Only one succeeded through an integer overflow in Firefox and an uninitialized buffer in the Windows kernel to elevate system priv
    • Re:Firefox? (Score:5, Funny)

      by Anonymous Coward on Tuesday March 21, 2017 @08:57PM (#54085757)

      The Firefox target host ran out of RAM and crashed before it could be p0wned.

  • Google's Chrome browser, on the other hand, remained unhackable during the contest.

    Unfortunately for me, I can't accept Chrome's EULA.

    It incorporates Adobe's, which (if I recall correctly from my AT&T Android-based smartphone) has several clauses I can't abide - including a never-compete, don't block updates, don't work on circumvention tools, we can change the license without notice, ...

    I don't intend to do anything that might come back to limit my future software work or employability. Clicking throu

    • Just curious, is the licensing for the open source bits, Chromium, any less scary?

      I do use Firefox as my main browser but keep Chome and/or Edge handy for 'legacy' sites that expect flash. (Oh and not pr0n, things like my university's portal. Amusingly though, the student portal recently popped an error saying Flash 9 was required and wouldn't work in either of those browsers!)

    • I guess you're still using Lynx [wikipedia.org]?
    • Unfortunately for me, I can't accept Chrome's EULA.

      It incorporates Adobe's, which (if I recall correctly from my AT&T Android-based smartphone) has several clauses I can't abide - including a never-compete, don't block updates, don't work on circumvention tools, we can change the license without notice, ...

      I don't intend to do anything that might come back to limit my future software work or employability.

      There is a distinct difference between a rational concern and paranoia. This is the later.

      paranoia : a tendency on the part of an individual or group toward excessive or irrational suspiciousness and distrustfulness of others

      • by Anonymous Coward

        When you say paranoia, are you referring to the parent poster or the EULA?

        "including a never-compete, don't block updates, don't work on circumvention tools, we can change the license without notice"

        The EULA sounds paranoid of its users.

    • don't work on circumvention tools

      So that's how Chrome remains unhackable!

  • Bugs du jour (Score:5, Insightful)

    by nuntius ( 92696 ) on Tuesday March 21, 2017 @09:06PM (#54085797)

    Interesting how well-known issues such as use-after-free, heap overflow, type confusion, and uninitialized memory are still common attack vectors.

    Seems to support the arguments for efficient, type-safe languages such as Rust.

    • And then they'd just attack the run-time/garbage collector.

      • by Anonymous Coward

        Rust doesn't have a GC, or much of a runtime really.

        Also, I imagine the entire rust standard library + anything you might call a run-time is drastically less code than Edge, and can be secured once, instead of for each application.

    • Re:Bugs du jour (Score:5, Interesting)

      by AmiMoJo ( 196126 ) on Wednesday March 22, 2017 @08:08AM (#54087295) Homepage Journal

      Chrome is mostly C, and it's the only one that didn't get hacked. Relying on type-safe languages doesn't seem to be as important as designing your app to be secure from the ground up.

      Chrome is actually a pretty impressive bit of engineering. It's extremely secure, but also extremely fast. It takes unchecked, often malicious data as an input and safely and quickly displays it. There is even a high performance scripting language built in. Apparently this is quite a hard thing to do as well, since everyone else keeps failing at it.

    • The idea of Rust is cool but in real life it sucks

      - Is a Mozilla creation -> strike one
      - More articles written about it than there is code -> strike 2
      - Unsafe Rust must be used extensively in any sizeable project which renders all proselytizing about memory safety moot -> strike 3
  • by marcgvky ( 949079 ) on Tuesday March 21, 2017 @09:13PM (#54085819) Journal
    And the bulk of comments will be that Microsoft is so wonderful, in spite of the mega-awful flaws.... we love it! Right?
    • And the bulk of comments will be that Microsoft is so wonderful

      You must be new here.

  • Chinese? (Score:5, Interesting)

    by speedplane ( 552872 ) on Tuesday March 21, 2017 @09:14PM (#54085823) Homepage
    Is it just me, or was every single winner in pwn2own asian? Here's the youtube video: https://www.youtube.com/watch?... [youtube.com]

    It's not entirely clear what Asian country everyone is from (or perhaps they're Asian-American), but assuming none of them are from the U.S., it should make those in government U.S. cybersecurity a bit anxious, and perhaps give pause to our new-found love of immigration restrictions.
    • Re:Chinese? (Score:5, Insightful)

      by Chris Katko ( 2923353 ) on Tuesday March 21, 2017 @11:47PM (#54086159)

      US intelligence is already shitting their pants over the "failure of the last decade" if you wanted the last C-SPAN Senate hearing about the Russian/Trump thing. Seriously, watch it. It's pretty insightful (a thousand times more depth than the shit headlines CNN/MSNBC/et al are running.)

    • It's not entirely clear what Asian country everyone is from (or perhaps they're Asian-American), but assuming none of them are from the U.S., it should make those in government U.S. cybersecurity a bit anxious, and perhaps give pause to our new-found love of immigration restrictions.

      Unlikely. The people that are in love with the restrictions don't really want anybody coming over. I have an Asian friend who lives on the other coast of the US from me. She's ethnically Chinese but immigrated by marriage from her home country to the USA. She's told me some recent stories about having white women make very prejudiced remarks towards her both at work and while shopping. And keep in mind that she's not Muslim so none of this is caused by religious wear like a hijab. People who voted for

    • Re:Chinese? (Score:5, Interesting)

      by jbmartin6 ( 1232050 ) on Wednesday March 22, 2017 @07:25AM (#54087101)
      Tencent (3 of the winning teams) is a Chinese company, the dominant player in chat/communications in China. Owns both WeChat and QQ. Not surprising they would field a strong hacking team.
    • by AmiMoJo ( 196126 )

      Far Eastern countries just invested more in developing cyber security talent, that's all.

      Immigration restrictions won't help you, the internet is global and the only countries that has an effective cyber border are all Far Eastern.

  • by ColaMan ( 37550 ) on Tuesday March 21, 2017 @09:48PM (#54085891) Journal

    Chrome might have remained unhackable.

    Or quite possibly people can get more money for their Chrome exploits elsewhere, so they naturally don't want to submit - and then lose - good exploits here in this competition.

    • Or, as noted, the rules prevented some hacks from being used. Maybe all the Chrome hacks fell into that category.

    • Or quite possibly people can get more money for their Chrome exploits elsewhere....

      The same could be said for Internet Explorer, Safari, Firefox, and Edge. The more likely explanation is that Chrome is just more secure than the other browsers, and that Edge is just as bad as Internet Explorer (which makes sense, since Microsoft is incapable of making a decent Web browser).

    • by AmiMoJo ( 196126 ) on Wednesday March 22, 2017 @08:13AM (#54087333) Homepage Journal

      Why couldn't they also claim the bug bounty? Google has a non-public submission process, so just submit your report a few days before the event to claim the bug bounty and then use it in the competition. Google aren't going to patch it in that time frame, and besides the version to be used is announced in advance.

    • by doug141 ( 863552 )

      An interesting point. Is it possible that Microsoft's recent boasting about Edge security attracted hackers this year? Can the public discern relative browser security from Pwn2Own? Those NSA leaks had NSA opinions on various anti-virus programs... I wonder if there's anything in there about browsers.

  • That something from Microsoft is an insecure PoS is not news - it is business as usual. Consider yourself middle-fingered, Microsoft.
  • Class action over the "Edge is the most secure browser" popups in Win 10?
    • There's a qualifier which is "Edge is the most secure browser *from Microsoft*". Making something less terrible than IE wasn't especially hard, but they're still trying.

      • Except for the fact that you're flat out wrong [techtimes.com], whereas I merely paraphrased in order to fit several different messages (as it changes based on which browser you're launching) into a single terse statement. Microsoft never used that qualifier; they did, however, say Edge is safer than Chrome and Firefox. Funny, I've never seen that popup for IE, Opera, or any other browser that isn't Chrome or Firefox.

        But, they did specifically call out those two... then proceed to lose to them at Pwn2Own.
  • by Ilgaz ( 86384 ) on Tuesday March 21, 2017 @11:53PM (#54086167) Homepage

    Edge isn't open source, it has no developer community, no user community like Firefox who will mercilessly bash it until it goes the right direction, no incentive to be secure.

      You can steal millions from Google with a basic, unpublished cookie hack as they are the largest advertising company on planet. So, they are damn careful about their code. Chromium which eventually ends up to be Chrome has its own community. Additionally, there is a huge privacy fanatic user community, developer community in Mozilla.

    Edge is a browser which comes with the OS, nothing else.

    • Edge isn't open source

      Its Javascript Engine is. It isn't clear from the article where exactly the vulnerabilities lay but potentially opening up the code to "many eyes" may have provided a way in, whereas crafting a Pwn without the source might have previously been trickier.

      • by Bert64 ( 520050 )

        But opening up the code doesn't put edge at a disadvantage, it only serves to level the playing field relative to its main competitors which are both open source.

      • Edges HTML engine seems to be WebKit.

        • No it isn't, it is compatible and somehow similar to WebKit but not really WebKit. It requires a real paradigm shift for MS to adopt WebKit. MS says one shouldn't worry about site compatibility if it works with Apple Safari. I think it creates the confusion.

          I actually like simple browsers using native OS functions and use less energy & CPU but not being open source and multi platform kills whole advantage.

          • Well,
            I'm working with Edge and Chrome in software development.
            The "Developer Tools" in Edge look exactly the same as in Chrome and Safari. I check tomorrow again, I doubt there is even a single pixel difference. So I assumed Edge was based on WebKit, too.

  • $105K for 3 zero days for the VMWare escape sounds hideously low. I bet those guys could get 10x that amount 'somewhere else'.
  • If you install a completely not blocked at all malware add on to Chrome as an extension, it will not only remain unblocked because Google doesn't give a shit but it will also automatically propogate itself or at least its settings to all your other devices that run Chrome. Isn't that convenient!
  • Given their interest in security and privacy, I'd say this is a significant fact.
  • I saw a fully patched, up-to-date machine get rooted via Chrome from a malicious website not two months ago.

    Run it in a sandbox.

    Run all browsers in a sandbox, even if they say they already have one built in.

Avoid strange women and temporary variables.

Working...