Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable

At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.

Windows and Edge security

[Anonymous Coward]

are an oxymoron.

Re:I use chrome

[110010001000]

Why are you running Chrome without an adblocker? I really don't understand people. Use an adblocker, always. Use Ghostery if you are worried about tracking.

Re:

[darkain]

Or just use Opera, which is basically Chrome Stable (none of the bullshit blind A/B testing Google does on their "stable" branch that breaks shit), has built in ad blocker, and built in VPN. The best of all worlds!

Re:

[l20502]

built in VPN

You mean built in connection to it's chinese overlords?

Re:

[t0y]

Use Ghostery if you are worried about tracking.

And don't forget to disable ghostery's tracking.

Re:

[kilodelta]

There's no reason to run a browser without AdBlock and ScriptSafe. That would be my minimum.

Re:I use chrome

[geekmux]

...it's hideous how it tracks you.

I don't have anywhere close to this unnerving tracking with Safari or Firefox.

You're running a browser created by the same organization who has essentially indexed our digital universe, and turned that into a multi-billion dollar empire.

At this point, shareholders practically demand perpetuating "hideous" activity.

The irony here is Chrome users feel more secure than ever.

Re:

[AHuxley]

Secure for their ads, not the users.

Re:

[AmiMoJo]

Do you have any evidence that Chrome tracks you if you disable the safe browsing and navigation assistance stuff?

I always ask the same question and never get any evidence. All I want is some proof that if you tell Chrome not to track you, it does anyway.

Re:

[chihowa]

Putting trust in corporations is stupid and trusting an advertising company (whose core business model is tracking people and building dossiers on them) to not track you is equally stupid. I don't have any evidence that they're tracking you, but you don't have any evidence that they're not and tracking you would fit their MO perfectly.

Do what you want -- nobody cares -- but there's nothing unreasonable about distrusting Google, even in the absence of hard evidence.

Re:

[ChunderDownunder]

Mozilla's thoughts on replacing c/c++ with rust...

Re:

[Rob Y.]

Well, that brings up an obvious question. If Edge is a whole new browser - built, presumably, using the latest, 'safest' coding techniques - what does that say about the ability to make programming languages (or 'standard' techniques for coding in them) safe. After all this time, new code is still more hackable than older - but better tested - code?

Um, Edge is more secure than Chrome...

[Biogoly]

Or are going to tell me those Windows 10 pop-ups are lying? Hmmm?

Re:

[mykepredko]

I wish I had mod points. Nice.

Re: Um, Edge is more secure than Chrome...

[Anonymous Coward]

I use chrome on Windows so I get the best possible ad experience, since both Microsoft and google get my preferences that way, instead of just one megacompany.

Re:

[Frosty Piss]

Microsoft has a reputation to live up to...

Re:

[Samurai Nigel]

To be fair, Windows 10 says Edge is more secure than Firefox. (It only says it uses less battery than Chrome.) ;)

But, but. . .

[quonset]

It gives your laptop better battery life!

Re:

[MightyMartian]

That's probably true. It's so bereft of features that it probably does take a lot less clock cycles. But then again, if that's the only argument, then Links is probably the hands down best winner, or maybe "telnet wherever.com 80"!

Microsoft's proclamations about the wonders of its products are beginning to resemble those satirical Monty Python faux-ads about Crelm Toothpaste.

Re:

[Anonymous Coward]

Battery life was a legit beef with Chrome - Chrome had gotten pretty lazy about policing it's processes and tended to let bad javascript/video decoding/etc run unchecked. Modern laptops are efficient but they'll chew up your battery if chrome demands all your cores/threads run full tilt.

Last few versions of Chrome have gone a long way to tamp down on obvious waste and upcoming features will sleep/suspend unused tabs by default.

Re:

[thegarbz]

I think it's fair to say it "gave" you better battery life.

Re:

[Zaatxe]

But does it have electrolytes?

Re:

[CastrTroy]

The battery does.

Re:

[Zaatxe]

Good, because that's what the laptops crave.

Re:

[AmiMoJo]

Malware must be getting more efficient.

Re:do they ever test secure configurations?

[gweilo8888]

Yes, how dare they test things in the default configuration that only 99% of users will be using.

Re:

[MightyMartian]

Your web experience must be thrilling, kind of like surfing the web in 1995. Christ, just use gopher to get the full glory of the 1990s Internet experience.

Re:

[AHuxley]

Russia learned a lot on how the CIA got the text to Khrushchev's "On the Cult of Personality and Its Consequences" speech https://en.wikipedia.org/wiki/... [wikipedia.org].
Russian staff work on paper files in secure building now.
Stay in restricted city, town. No way MI6/CIA can get in to offer cash for file.
In West policy created by party political think tank on web browser connected to internet.
Many other nations read along in real time as policy correction made and then final document is prepared.

LOL

[mykepredko]

What else is there to say?

Re:

[speedplane]

What else is there to say?

I'm starting to feel bad for MS these days. They've gotten so much better and are no longer truly evil, but just can't win.

Re:

[MightyMartian]

I have Onedrive ads popping up on one of my computers every time a File save dialog opens. Microsoft is the same evil, dirty player it ever was. It just doesn't have penetration on the biggest growth platform, so it's position is more vulnerable.

Re: LOL

[Anonymous Coward]

You shouldn't have to turn off ads on your fucking computer, there should be no ads.

Re:LOL

[serviscope_minor]

They've gotten so much better and are no longer truly evil,

Yeah they are. They have less utter dominance of the PC market, so have less opportunity to be evil in a very public and mustache twirling way, but don't be fooled.

Take for example SDXC and exFAT. exFAT is a not especially good and not innovative filesystem that exists for the sole purpose for Microsoft to have osme patents on it so they can engage in rent seeking. A great example is mnaging to somehow maniuplate the SD card forum into adopting it so the only compliant cards must use it.

It's a transparent attempt at both rent seeking and blocking open source software.

Firefox?

[Gnu Zealand]

Does anyone have the results for Ff? Was it included?

Re:

[Gnu Zealand]

No matter; it was in the article. (blush) "Firefox" "Firefox was back at this year’s Pwn2Own after missing last year, seemingly because the browser would’ve been too easy to hack. Things have changed a little since then, though; Firefox has gained some partial sandboxing capabilities. Two hacking attempts were made against Mozilla’s browser during the contest. Only one succeeded through an integer overflow in Firefox and an uninitialized buffer in the Windows kernel to elevate system priv

Re:Firefox?

[Anonymous Coward]

The Firefox target host ran out of RAM and crashed before it could be p0wned.

The teams found out 3 months ago Chrome was secure

[raymorris]

The teams didn't just decide that morning "hey let's compete in Pwn2Own today". They prepared months in advance, testing all the browsers to see what they could do. Perhaps a month or two before the event, they decided which browser they had the best exploits for, the browser they would focus on during the actual competition.

All the teams but one learned from their testing that they wouldn't be able to hack Chrome. One team thought it was their best chance and that team failed.

Re:

[Pinky's Brain]

I prefer to take the capitalist point of view. Chrome exploits are more profitable when sold to criminals (state aligned or free market ones).

Pity, since I can't accept the EULA

[Ungrounded Lightning]

Google's Chrome browser, on the other hand, remained unhackable during the contest.

Unfortunately for me, I can't accept Chrome's EULA.

It incorporates Adobe's, which (if I recall correctly from my AT&T Android-based smartphone) has several clauses I can't abide - including a never-compete, don't block updates, don't work on circumvention tools, we can change the license without notice, ...

I don't intend to do anything that might come back to limit my future software work or employability. Clicking throu

Re:

[ChunderDownunder]

Just curious, is the licensing for the open source bits, Chromium, any less scary?

I do use Firefox as my main browser but keep Chome and/or Edge handy for 'legacy' sites that expect flash. (Oh and not pr0n, things like my university's portal. Amusingly though, the student portal recently popped an error saying Flash 9 was required and wouldn't work in either of those browsers!)

Re:

[wasteoid]

I guess you're still using Lynx [wikipedia.org]?

Re:

[Gravis Zero]

Unfortunately for me, I can't accept Chrome's EULA.

It incorporates Adobe's, which (if I recall correctly from my AT&T Android-based smartphone) has several clauses I can't abide - including a never-compete, don't block updates, don't work on circumvention tools, we can change the license without notice, ...

I don't intend to do anything that might come back to limit my future software work or employability.

There is a distinct difference between a rational concern and paranoia. This is the later.

paranoia : a tendency on the part of an individual or group toward excessive or irrational suspiciousness and distrustfulness of others

Re:

[Anonymous Coward]

When you say paranoia, are you referring to the parent poster or the EULA?

"including a never-compete, don't block updates, don't work on circumvention tools, we can change the license without notice"

The EULA sounds paranoid of its users.

Re:

[OpenSourced]

don't work on circumvention tools

So that's how Chrome remains unhackable!

Bugs du jour

[nuntius]

Interesting how well-known issues such as use-after-free, heap overflow, type confusion, and uninitialized memory are still common attack vectors.

Seems to support the arguments for efficient, type-safe languages such as Rust.

Re:

[Chris Katko]

And then they'd just attack the run-time/garbage collector.

Re:

[Anonymous Coward]

Rust doesn't have a GC, or much of a runtime really.

Also, I imagine the entire rust standard library + anything you might call a run-time is drastically less code than Edge, and can be secured once, instead of for each application.

Re:Bugs du jour

[AmiMoJo]

Chrome is mostly C, and it's the only one that didn't get hacked. Relying on type-safe languages doesn't seem to be as important as designing your app to be secure from the ground up.

Chrome is actually a pretty impressive bit of engineering. It's extremely secure, but also extremely fast. It takes unchecked, often malicious data as an input and safely and quickly displays it. There is even a high performance scripting language built in. Apparently this is quite a hard thing to do as well, since everyone else keeps failing at it.

Re:

[MrVictor]

The idea of Rust is cool but in real life it sucks

- Is a Mozilla creation -> strike one
- More articles written about it than there is code -> strike 2
- Unsafe Rust must be used extensively in any sizeable project which renders all proselytizing about memory safety moot -> strike 3

Here come all of the Indians hired to to do PR

[marcgvky]

And the bulk of comments will be that Microsoft is so wonderful, in spite of the mega-awful flaws.... we love it! Right?

Re:

[thegarbz]

And the bulk of comments will be that Microsoft is so wonderful

You must be new here.

Re:

[Tablizer]

R.T.F.L.M.

Re:

[EndlessNameless]

How does your staff support VIP and execs that need access to internally and externally hosted shared calendars across iphones, android and windows pc outlook clients?

VPN.

Or use a web- or cloud-based application---you can still enjoy single sign-on with federation.

How do you remotely wipe phones and laptops when an employee is terminated, and verify backups prior to issuing the wipe if needed?

Every platform has a way to do this, including iPhone, Android, and Linux. Windows is not special.

What process do you use to audit pc clients are patched to required compliance levels?

Windows has no native capability to do this. You are either paying for System Center or using a third-party solution.

People will real patching requirements cannot use the "free" WSUS since it only patches MS products and leaves other software completely unmanaged. No matter what, you have to spend money to fulfill

Chinese?

[speedplane]

Is it just me, or was every single winner in pwn2own asian? Here's the youtube video: https://www.youtube.com/watch?... [youtube.com]

It's not entirely clear what Asian country everyone is from (or perhaps they're Asian-American), but assuming none of them are from the U.S., it should make those in government U.S. cybersecurity a bit anxious, and perhaps give pause to our new-found love of immigration restrictions.

Re:Chinese?

[Chris Katko]

US intelligence is already shitting their pants over the "failure of the last decade" if you wanted the last C-SPAN Senate hearing about the Russian/Trump thing. Seriously, watch it. It's pretty insightful (a thousand times more depth than the shit headlines CNN/MSNBC/et al are running.)

Re:

[Zontar_Thing_From_Ve]

It's not entirely clear what Asian country everyone is from (or perhaps they're Asian-American), but assuming none of them are from the U.S., it should make those in government U.S. cybersecurity a bit anxious, and perhaps give pause to our new-found love of immigration restrictions.

Unlikely. The people that are in love with the restrictions don't really want anybody coming over. I have an Asian friend who lives on the other coast of the US from me. She's ethnically Chinese but immigrated by marriage from her home country to the USA. She's told me some recent stories about having white women make very prejudiced remarks towards her both at work and while shopping. And keep in mind that she's not Muslim so none of this is caused by religious wear like a hijab. People who voted for

Re:Chinese?

[jbmartin6]

Tencent (3 of the winning teams) is a Chinese company, the dominant player in chat/communications in China. Owns both WeChat and QQ. Not surprising they would field a strong hacking team.

Re:

[AmiMoJo]

Far Eastern countries just invested more in developing cyber security talent, that's all.

Immigration restrictions won't help you, the internet is global and the only countries that has an effective cyber border are all Far Eastern.

Chome remained unhackable?

[ColaMan]

Chrome might have remained unhackable.

Or quite possibly people can get more money for their Chrome exploits elsewhere, so they naturally don't want to submit - and then lose - good exploits here in this competition.

Re:

[Actually, I do RTFA]

Or, as noted, the rules prevented some hacks from being used. Maybe all the Chrome hacks fell into that category.

Re:

[StormReaver]

Or quite possibly people can get more money for their Chrome exploits elsewhere....

The same could be said for Internet Explorer, Safari, Firefox, and Edge. The more likely explanation is that Chrome is just more secure than the other browsers, and that Edge is just as bad as Internet Explorer (which makes sense, since Microsoft is incapable of making a decent Web browser).

Re:Chome remained unhackable?

[AmiMoJo]

Why couldn't they also claim the bug bounty? Google has a non-public submission process, so just submit your report a few days before the event to claim the bug bounty and then use it in the competition. Google aren't going to patch it in that time frame, and besides the version to be used is announced in advance.

Re:

[doug141]

An interesting point. Is it possible that Microsoft's recent boasting about Edge security attracted hackers this year? Can the public discern relative browser security from Pwn2Own? Those NSA leaks had NSA opinions on various anti-virus programs... I wonder if there's anything in there about browsers.

That's not news

[OneHundredAndTen]

That something from Microsoft is an insecure PoS is not news - it is business as usual. Consider yourself middle-fingered, Microsoft.

So....

[BronsCon]

Class action over the "Edge is the most secure browser" popups in Win 10?

Re:

[coofercat]

There's a qualifier which is "Edge is the most secure browser *from Microsoft*". Making something less terrible than IE wasn't especially hard, but they're still trying.

Re:

[BronsCon]

Except for the fact that you're flat out wrong [techtimes.com], whereas I merely paraphrased in order to fit several different messages (as it changes based on which browser you're launching) into a single terse statement. Microsoft never used that qualifier; they did, however, say Edge is safer than Chrome and Firefox. Funny, I've never seen that popup for IE, Opera, or any other browser that isn't Chrome or Firefox.

But, they did specifically call out those two... then proceed to lose to them at Pwn2Own.

There is a basic reason, Edge has no community

[Ilgaz]

Edge isn't open source, it has no developer community, no user community like Firefox who will mercilessly bash it until it goes the right direction, no incentive to be secure.

  You can steal millions from Google with a basic, unpublished cookie hack as they are the largest advertising company on planet. So, they are damn careful about their code. Chromium which eventually ends up to be Chrome has its own community. Additionally, there is a huge privacy fanatic user community, developer community in Mozilla.

Edge is a browser which comes with the OS, nothing else.

Re:

[ChunderDownunder]

Edge isn't open source

Its Javascript Engine is. It isn't clear from the article where exactly the vulnerabilities lay but potentially opening up the code to "many eyes" may have provided a way in, whereas crafting a Pwn without the source might have previously been trickier.

Re:

[Bert64]

But opening up the code doesn't put edge at a disadvantage, it only serves to level the playing field relative to its main competitors which are both open source.

Re:

[angel'o'sphere]

Edges HTML engine seems to be WebKit.

Re: There is a basic reason, Edge has no community

[Ilgaz]

No it isn't, it is compatible and somehow similar to WebKit but not really WebKit. It requires a real paradigm shift for MS to adopt WebKit. MS says one shouldn't worry about site compatibility if it works with Apple Safari. I think it creates the confusion.

I actually like simple browsers using native OS functions and use less energy & CPU but not being open source and multi platform kills whole advantage.

Re:

[angel'o'sphere]

Well,
I'm working with Edge and Chrome in software development.
The "Developer Tools" in Edge look exactly the same as in Chrome and Safari. I check tomorrow again, I doubt there is even a single pixel difference. So I assumed Edge was based on WebKit, too.

Underpaid researchers

[Robert Goatse]

$105K for 3 zero days for the VMWare escape sounds hideously low. I bet those guys could get 10x that amount 'somewhere else'.

Chrome is terrible

[slashmydots]

If you install a completely not blocked at all malware add on to Chrome as an extension, it will not only remain unblocked because Google doesn't give a shit but it will also automatically propogate itself or at least its settings to all your other devices that run Chrome. Isn't that convenient!

Tor browser is built on Firefox

[davsi]

Given their interest in security and privacy, I'd say this is a significant fact.

Chrome is most certainly not unhcakable.

[PJ6]

I saw a fully patched, up-to-date machine get rooted via Chrome from a malicious website not two months ago.

Run it in a sandbox.

Run all browsers in a sandbox, even if they say they already have one built in.

Re:

[BronsCon]

You mean like the perspective they cast by popping up an "Edge is the most secure browser" message every time you click a Chrome or Firefox icon in Win 10?

Re:

[f3rret]

You mean like the perspective they cast by popping up an "Edge is the most secure browser" message every time you click a Chrome or Firefox icon in Win 10?

That doesn't happen though, but cool of you to say it does

Re:

[BronsCon]

Oh, you've never seen it? I may have paraphrased, because the message is slightly different depending on which browser you're launching, but, well, it happens [techtimes.com]. In fact, it was reported here back in November [slashdot.org].

Re: But Edge is still new compared to the others

[pahosler]

I have Win10 pro on my laptop, I've never seen a pop up from M$. I only used Edge long enough to install Chrome. My laptop is an older Lenovo R61 that never just sipped electrons anyway. Other than Chrome I haven't done any mods or disabled any services.

Re:

[BronsCon]

You could have read the rest of the thread before posting and found an example of exactly what I'm talking about, including a screenshot and a link to where it was reported here in November. That would have been a good alternative to making yourself look like a MS shill by claiming that, since it doesn't happen to you, it must not happen at all.