The Pwn2Own 2017 hacking contest held during the Security Conference CanSec West in Vancouver recently concluded, and the results spell bad news for the Microsoft Edge browser.
Pwn2Own is a hacking competition held every year where security teams attempt to exploit vulnerabilities and compromise browsers, operating systems, and other software within a stipulated amount of time.
Pwn2Own marked its 10th anniversary in the three-day contest, which saw the Chrome browser remain impenetrable in terms of security.
Microsoft Edge, on the other hand, become the most hacked browser.
Herein is a comprehensive overview of the hacking contest outcomes based on the browser types.
The Microsoft Edge browser did not fair particularly well against seasoned hacking experts at Pwn2Own, managing to get hacked successfully at least five times.
The first day of the contest involves only remote attacks.
The hacking teams had to orchestrate their attacks without user interaction.
The first hacking team to hack Microsoft Edge was Team Ether from Tencent Security.
Team Ether was awarded $80,000 for their efforts.
On the second day, which includes browser attacks where hacking teams can send links to contest computers, Edge faced a barrage of cyber-attacks from multiple teams.
They were able to elevate system privileges, earning $55,000 in the process.
Hackers from Tencent Security and Team Sniper earned the same price after utilizing the same vulnerabilities.
Members of the 360 Security team pulled off an unusually impressive hacking feat that fetched them the highest price of the hacking contest.
They compromised Edge and managed to escaped a VMware Workstation virtual machine that the browser runs in.
Pwn2Own organizers stated that the team exploited a heap overflow bug in Edge, an uninitialized buffer flaw in VMware, and a type confusion vulnerability in the Windows Kernel, thus executing a complete virtual machine escape.
For this impressive hacking chain, the 360 Security team earned $105,000.
Hacker Richard Zhu executed the fifth hacking exploit against Edge.
He employed UAF bugs in Edge browser and a Windows Kernel buffer overflow to launch the attack.
He was awarded $55,000.
One team’s attempt on the second day was disqualified for utilizing a known vulnerability that had been disclosed the previous day, and two other teams withdrew their attempt against the browser.
Apple’s Safari browser performed better than Microsoft Edge, but was still unimpressive seeing as that it gothacked three times successfully and once partially.
The one partial attempt employed 3 logic bugs in Sari and a null pointer dereference, allowing to team to elevate the privileges in the mac operating system.
This attempt was considered partial since the Safari beta version had already fixed the UAF bug.
The hacking attempt earned $28,000.
Researchers from Chaitin Security Research Lab compromised Safari and gained root access on MacOS using six distinct bugs.
They were awarded $35,000.
The second day saw Safari get hacked twice successfully by 360 Security team and Team Sniper.
Both teams received $35,000 for their efforts.
Richard Zhu had an attempt at Safari, but was unable to complete it within the stipulated time.
Firefox did not feature at the Pwn2Own 2016 due to a myriad of security issues with the browser that would have rendered it easily hackable.
However, Firefox has since incorporated partial sandboxing capabilities, making it much more secure.
Firefox was back at Pwn2Own 2017 with two hacking attempts made against it.
One team managed to compromise the browser by using an integer overflow and an uninitialized buffer in the Windows Kernel.
They were able to elevate Firefox system privileges.
It seems like Firefox was not considered an easy target during this year’s contest, but that could change next year.
Nonetheless, things looked better for it when compared to Microsoft Edge.
Team Sniper from Tencent Security was the only team to attempt hacking Chrome browser.
They were unable to execute the hack within the allotted time.
It is not known whether the hacking attempt could have been successful if more time was availed.
Nevertheless, Chrome was the outright winner in terms of browser security within the constraints of the contest.
Hackers at Pwn2Own 2017 earned $233,000 and $340,000 on the first and second day respectively.
It is likely that the known prevalence of bugs in Edge made it a favorite target for the hackers.
It looks like Microsoft will now have to be fixing bugs soon in order to bolster security in their products.