Microsoft’s browser folks have to hate when Pwn2Own rolls around every year. It’s not that unusual for every browser to get hit with a nasty zero-day exploit, but it seems like Microsoft leads the pack, year after year after year. Some of this had to do with the aging nature of legacy Internet Explorer. Even in IE11, which had some limited sandboxing capabilities, it just seemed to be perpetually bullied by the security community.
Microsoft’s Edge browser was supposed to alleviate a lot of the security concerns, with even more advanced sandboxing and process isolation than even Chrome. But in this years competition, the Qihoo 360 security team found a pretty nasty vulnerability. Using a heap overflow bug, a JavaScript engine exploit, and a VMware flaw, they were able to not just execute code on the virtualized guest OS, but were actually able to access the host machine. That’s impressive.
Obviously this isn’t just the fault of the Edge browser, but the headlines all lead with it anyway. Still, the point of the entire competition make a competition out of bug bounties, and the good thing is that this should soon be patched to avoid it all together.
Still, the idea of gaining host access from a virtualized browser is just about a nightmare scenario.
Ars Technica comments:
Contestants at this year’s Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft’s heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days.
Rich has been a tech enthusiast since he first used the speech simulator on a Magnavox Odyssey². Current areas of interest include ZFS, the false hopes of memristors, and the oral history of Transmeta.
