During the recent Pwn2Own hacking contest, multiple major browsers like Edge, Safari and Firefox fell to white hat hackers. Nine security vulnerabilities of Firefox and Edge have been exposed. Three teams had exploited the vulnerabilities and won about $270,000 USD as prize.
“They were able to execute code at SYSTEM level just by using Firefox to visit their specially crafted website,” explained Zero Day Initiative (ZDI), the company that organizes Pwn2Own.
Among the white hat hackers, the Fluoroacetate team that successfully attacked Safari on the first day locked the Firefox browser and then induced the user to visit the malicious website. After that, they could gain control of the system via the browser’s Just-In-Time Compilation (JIT) vulnerability and the Windows kernel’s out-of-bounds write vulnerability. This team got a $50,000 USD bonus.
Next, the Fluoroacetate team performed another tougher task, opening Microsoft Edge from the VMware Workstation client to browse the team’s tailor-made malicious sites. Their goal is to execute arbitrary programs on the underlying platform. They have used Type Confusion vulnerabilities in Edge, Windows kernel’s Race Condition vulnerability, and VMware Workstation’s out-of-bounds write vulnerability to successfully demonstrate the attack. This task let them won $130,000 USD of prize.
Another participant of the contest, Niklas Baumstark, performed sandbox escaping by exploiting Firefox’s just-in-time compilation and logic error vulnerabilities. In practical applications, the related vulnerabilities will allow hackers to execute programs on the target system with the privileges of existing users. He won $40,000 USD as prize.
Although these white hat hackers won hundreds of thousands of dollars during the contest, hackers have once again demonstrated that there is no completely secure system in the world by successfully invading Safari on macOS and Edge & Firewall on Windows 10. It is necessary to safeguard your device with a reliable and powerful security program.