Windows 10 News and info | Forum
December 17, 2018, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Edge hacked in first day of Pwn2Own 2018  (Read 336 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 29300


I Do Windows


WWW Email
« on: March 17, 2018, 12:11:35 AM »
ReplyReply

Microsoft plans to force users that use the Windows Mail app to open web links in Edge, but just a day earlier there was a good example of why this was a bad idea, as Edge was one of the first browsers to fall in this year’s Pwn2Own hacker contest.

At the 11th annual Pwn2Own contest, being held during the CanSecWest 2018 Conference in Vancouver, British Columbia hacker Richard Zhu managed to pwn Microsoft Edge by using two browser and kernel bugs, winning him $70,000.

“In the end, he used two use-after-free (UAF) bugs in the browser and an integer overflow in the kernel to successfully run his code with elevated privileges. The dramatic effort earned him $70,000 and 7 points towards Master of Pwn,” notes ZDI.

Zhu had earlier on the same day tried to hack Apple’s Safari browser but failed. Safari did, however, fall later the day to Samuel Groß, who “used a combination of a JIT optimization bug in the browser, a macOS logic bug to escape the sandbox, and finally a kernel overwrite to execute code with a kernel extension to successfully exploit Apple Safari.” To demonstrate his complete ownage of the operating system he displayed “pwned by saelo =)” in green text on the MacBook Pro’s Touch Bar, earning him $65,000 and 6 points towards Master of Pwn.

Another hacker managed to defeat Oracle VirtualBox.

Microsoft did manage to thwart some hackers by releasing 75 security updates this Tuesday, forcing a number to withdraw from the contest.

As Trend Micro put it, “We never know what will happen when we arrive at the contest. Whether or not Pwn2Own falls near or right after a Microsoft Patch Tuesday, many vendors will make it a point to issue patches ahead of the contest. So, for example, if a contestant happens to be working on a Microsoft vulnerability, their entry could be thwarted by Microsoft’s updates. A couple of the entries that were withdrawn this year fell ‘victim’ to vendors issuing patches.”

Microsoft is a sponsor of Pwn2Own and notes in a blog post:

“Exploit contests are great opportunities as it allows Microsoft engineers to exchange ideas face-to-face with the community. This includes intricate details such as attack approaches, techniques used, and opportunities for improvement against similar attacks. While bug bounty programs focus on vulnerabilities, contests like PWN2OWN focus on exploit chains which typically are only seen in real attacks.”

On day two of the contest, the Firefox browser and Safari was once again hacked, with Google’s Chrome browser the last man standing at present.

source
« Last Edit: March 17, 2018, 04:55:08 PM by javajolt » Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page October 24, 2018, 05:24:38 AM