The Pwn2Own 2017 hacking contest, which celebrated its 10th anniversary, concluded after three days in which security teams hacked away at browsers and operating systems. Microsoft’s Edge seems to have been hit the hardest, while Chrome remained unhackable during the contest.
Microsoft Losing Its Edge
Microsoft created the Edge browser by rewriting most of it from scratch (some parts were forked from Internet Explorer). The company’s goal was to have a browser that’s much more secure and that can keep up with Chrome and Firefox when it comes to supporting the latest web standards. Edge even implemented sandboxing technologies that were similar to what Chrome was using, which put it ahead of Firefox, which is still trying to play catch-up in this regard.
However, despite these improvements in code cleanness and security technologies, it hasn’t quite proven itself when faced with experienced hackers at contests such as Pwn2Own. At last year’s edition of Pwn2Own, Edge proved to be a little better than Internet Explorer and Safari, but it still ended up getting hacked twice, while Chrome was only partially hacked once.
Things seem to have gotten worse, rather than better, for Edge. At this year’s Pwn2Own, Microsoft’s browser was hacked no less than five times.
On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge.
However, Team Lance (Tencent Security) successfully exploited Microsoft’s browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well.
The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from “360 Security.” The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape.
The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000.
The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000.
How The Other Browsers Fared
The first attack against Safari used three logic bugs in the browser and a null pointer dereference to elevate privileges in macOS. However, it was awarded only a partial prize ($28,000) because the UAF bug had already been fixed in the beta version of Safari.
Another team of researchers from the Chaitin Security Research Lab used six different bugs to successfully attack Apple’s browser and gain root access on macOS. The team got $35,000 for their efforts. Richard Zhu failed to complete an attack against Safari in the allotted amount of time, on the first day of the contest. Team Sniper and 360 Security successfully hacked Safari on the second day, each earning $35,000.
With three and a half success attacks against it, Safari didn’t fare so well in the Pwn2Own contest, but it still did better than Edge.
Firefox was back at this year’s Pwn2Own after missing last year, seemingly because the browser would’ve been too easy to hack. Things have changed a little since then, though; Firefox has gained some partial sandboxing capabilities. Two hacking attempts were made against Mozilla’s browser during the contest. Only one succeeded through an integer overflow in Firefox and an uninitialized buffer in the Windows kernel to elevate system privileges.
Firefox may become a bigger target at next year’s Pwn2Own if researchers think it will make for some easy wins. However, the browser should also gain additional security features by then, so it remains to be seen if things will get as bad as it did for Edge this year.
There was only one attempt to hack Chrome, by Team Sniper (Tencent Security), but it couldn’t get the attack to work in the allotted time. Perhaps it would’ve succeeded if there was more time, or perhaps Google had already discovered the bug and fixed it before the contest, making it impossible for the exploit to succeed.
And The Winner Is ...
It’s not clear whether the security researchers decided to target Edge this year because they thought it’s time to focus more on it, after its premiere in the Pwn2Own contest last year, or because they saw how many bugs it tends to have, which made it more exploitable. However, the majority of attempts resulted in successes, which may at least tell us that Microsoft may not be too quick at fixing bugs that the researchers may have found many months ago.
Windows 10 didn’t do too well either, as every successful browser attack on Windows seemed to have a matching successful attack against the Windows kernel.
The conclusion we can draw from the latest Pwn2Own is that Microsoft still has much work to do for the security of both Edge and Windows 10, perhaps coupled with getting better at finding and then fixing bugs more quickly. Safari wasn’t too far behind in terms of successful attacks against it, so the same would apply to Apple.
Firefox will likely face its test of fire at next year’s Pwn2Own. In the meantime, Chrome remains the undisputed champion in browser security.