Microsoft has suffered a major blow in its quest to popularize its newest browser Edge, which comes with Windows 10. Never mind the unrelenting Ads Microsoft is pushing onto us on multiple platforms on Windows 10; Ads that claim the Edge browser is ‘safer’ than Chrome and Firefox. But who determines that? Microsoft says NSS Labs reached that conclusion.
However, if the reports coming out of the Pwn2Own 2017 hacking event are anything to go by, Microsoft Edge is not the ‘safest’ browser you can use. Apparently, of all the browsers that were undergoing white hacks, Edge was the least secure and hackers were able to hack passed its security more times than any other browser.
Edge was hack not less than five times, while Google’s Chrome browser proved to be the most resilient as no hacker was able to hack it. According to Tom’s Hardware coverage reports, the Pwn2Own 2017 hacking event went down as follows:
Day 1: Team Ether (Tencent Security) was the first participating team to hack Microsoft Edge using an arbitrary write in Chakra JavaScript engine. Additionally, the team used a logic bug within the sandbox to escape that, as well. For their exploit, Team Ether walked home with $80,000 prize.
Day 2: Teams were on a fast and furious race to attacking Edge. One of the teams was disqualified for having used a vulnerability that had been disclosed the previous, and two other teams withdrew from the competition to hack Edge. As a condition for the contest, the teams are supposed only to use zero-day vulnerabilities; that is to unearth security holes both unknown to the vendor and not yet disclosed publicly.
Team Lance (Tencent Security) was successful in exploiting Edge’s User-After-Free (UAF) vulnerability in Chakra, and another UAF bug in the Windows 10 Kernel to elevate the system privileges. For their exploit, Team Lance walked home with $55,000.
Team Sniper (Tencent Security) was also successful in exploiting Edge and Windows 10 kernel using the same technique Team Lance used. For that, they also won $55,000. However, the most impressive exploit for this competition was by a security team from 360 Security. The team pulled a first for the Pwn2Own by using a virtual machine escape through a flaw in Edge. They used a heap overflow bug in Edge, which is a sort of confusion to Windows kernel, coupled with uninitialized buffer in VMware Workstation to make a complete virtual machine escape.
The team from 360 Security was able to hack their way into the Edge browser via guest Windows OS, using the VM, and getting all the way to hosting the operating system. It was an impressive chained-exploit that earned the team $105,000. Another exploit on Edge was by Richard Zhu, who used two UAF bugs; one on Edge and the other on Windows kernel buffer overflow. Zhu got $55,000 for completing the hack.
