Microsoft Edge: Most Hacked Browser At Pwn2Own 2017

The Pwn2Own 2017 hacking contest, which celebrated its 10th anniversary, concluded after three days in which security teams hacked away at browsers and operating systems. Microsoft’s Edge seems to have been hit the hardest, while Chrome remained unhackable during the contest.

Microsoft Losing Its Edge

Microsoft created the Edge browser by rewriting most of it from scratch (some parts were forked from Internet Explorer). The company’s goal was to have a browser that’s much more secure and that can keep up with Chrome and Firefox when it comes to supporting the latest web standards. Edge even implemented sandboxing technologies that were similar to what Chrome was using, which put it ahead of Firefox, which is still trying to play catch-up in this regard.

However, despite these improvements in code cleanness and security technologies, it hasn’t quite proven itself when faced with experienced hackers at contests such as Pwn2Own. At last year’s edition of Pwn2Own, Edge proved to be a little better than Internet Explorer and Safari, but it still ended up getting hacked twice, while Chrome was only partially hacked once.

Things seem to have gotten worse, rather than better, for Edge. At this year’s Pwn2Own, Microsoft’s browser was hacked no less than five times.

On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit.

On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge.

However, Team Lance (Tencent Security) successfully exploited Microsoft’s browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well.

The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from “360 Security.” The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape.

The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000.

The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000.

How The Other Browsers Fared

Safari

The first attack against Safari used three logic bugs in the browser and a null pointer dereference to elevate privileges in macOS. However, it was awarded only a partial prize ($28,000) because the UAF bug had already been fixed in the beta version of Safari.

Another team of researchers from the Chaitin Security Research Lab used six different bugs to successfully attack Apple’s browser and gain root access on macOS. The team got $35,000 for their efforts. Richard Zhu failed to complete an attack against Safari in the allotted amount of time, on the first day of the contest. Team Sniper and 360 Security successfully hacked Safari on the second day, each earning $35,000.

With three and a half success attacks against it, Safari didn’t fare so well in the Pwn2Own contest, but it still did better than Edge.

Firefox

Firefox was back at this year’s Pwn2Own after missing last year, seemingly because the browser would’ve been too easy to hack. Things have changed a little since then, though; Firefox has gained some partial sandboxing capabilities. Two hacking attempts were made against Mozilla’s browser during the contest. Only one succeeded through an integer overflow in Firefox and an uninitialized buffer in the Windows kernel to elevate system privileges.

Firefox may become a bigger target at next year’s Pwn2Own if researchers think it will make for some easy wins. However, the browser should also gain additional security features by then, so it remains to be seen if things will get as bad as it did for Edge this year.

Chrome

There was only one attempt to hack Chrome, by Team Sniper (Tencent Security), but it couldn’t get the attack to work in the allotted time. Perhaps it would’ve succeeded if there was more time, or perhaps Google had already discovered the bug and fixed it before the contest, making it impossible for the exploit to succeed.

And The Winner Is ...

It’s not clear whether the security researchers decided to target Edge this year because they thought it’s time to focus more on it, after its premiere in the Pwn2Own contest last year, or because they saw how many bugs it tends to have, which made it more exploitable. However, the majority of attempts resulted in successes, which may at least tell us that Microsoft may not be too quick at fixing bugs that the researchers may have found many months ago.

Windows 10 didn’t do too well either, as every successful browser attack on Windows seemed to have a matching successful attack against the Windows kernel.

The conclusion we can draw from the latest Pwn2Own is that Microsoft still has much work to do for the security of both Edge and Windows 10, perhaps coupled with getting better at finding and then fixing bugs more quickly. Safari wasn’t too far behind in terms of successful attacks against it, so the same would apply to Apple.

Firefox will likely face its test of fire at next year’s Pwn2Own. In the meantime, Chrome remains the undisputed champion in browser security.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • So much of Windows 10 being the most secured OS. You people should stop believing Microsoft bullcrap.
    Reply
  • Jeff Fx
    MS forced me to unpin Edge from my task bar. Recently Edge started popping up an ad every time I ran Chrome, to tell me Edge is faster. My OS should not be trying to use it's position to sell me on using MS junk instead of more secure tools. I thought this sort of thing was illegal.
    Reply
  • falchard
    Much better to attempt hacks on Microsoft. Finding an exploit pays better.
    Reply
  • shrapnel_indie
    Microsoft created the Edge browser by rewriting most of it from scratch (some parts were forked from Internet Explorer).

    TBH: we only have their word on that. There is always the possibility that much-much-more was forked into Edge from IE than they told the public.

    Surprised with as much data mining Google does, that Chrome is showing as so secure.

    Win10 vulnerabilities: Not so surprising, especially in light of their own personal data mining.

    Win10 has the potential to be really good... MS just has to refocus on true security on ALL levels and stop poking their nose into the business of its users.
    Reply
  • alextheblue
    19452356 said:
    Surprised with as much data mining Google does, that Chrome is showing as so secure.

    Win10 vulnerabilities: Not so surprising, especially in light of their own personal data mining.
    Internal data mining does not mean the program is inherently less secure. As for Windows itself, it's a lot harder to secure a long-standing full fledged OS with wide-ranging software/hardware compatibility. That's not to say they should ever stop shelling out money for vulnerability bounties, and they need to continue fixing them to the best of their abilities. But comparing a browser to an full-blown OS is silly. I mean even Android has vulnerabilities and it is a lot less complex than Windows. Windows 7 has vulnerabilities too. MS probably isn't quite as interested in paying people to scrutinize it though, compared to 10.

    As for Edge, it needs a lot of work. Even so it has come a long way in a relatively short period of time. I'd say overall it's actually not bad for a stock browser. But this definitely shows they need to prioritize security in the coming year. Kudos to the security researchers for making everyone safer, and making some cash in the process.
    Reply
  • shrapnel_indie
    19453703 said:
    19452356 said:
    Surprised with as much data mining Google does, that Chrome is showing as so secure.

    Win10 vulnerabilities: Not so surprising, especially in light of their own personal data mining.
    Internal data mining does not mean the program is inherently less secure. As for Windows itself, it's a lot harder to secure a long-standing full fledged OS with wide-ranging software/hardware compatibility. That's not to say they should ever stop shelling out money for vulnerability bounties, and they need to continue fixing them to the best of their abilities. But comparing a browser to an full-blown OS is silly. I mean even Android has vulnerabilities and it is a lot less complex than Windows. Windows 7 has vulnerabilities too. MS probably isn't quite as interested in paying people to scrutinize it though, compared to 10.

    As for Edge, it needs a lot of work. Even so it has come a long way in a relatively short period of time. I'd say overall it's actually not bad for a stock browser. But this definitely shows they need to prioritize security in the coming year. Kudos to the security researchers for making everyone safer, and making some cash in the process.

    I probably should have probably made it clearer that this was in no way a comparison of browser vs OS. I do understand that an OS is far more complex than a browser... unfortunately, the way Microsoft embedded the browser into the OS in the past doesn't do much either in keeping the two distinct entities, which doesn't help matters.

    While internal data mining doesn't mean the program or OS is less secure, it does provide paths that absolutely must be fortified against misuse and attack. I understand that everything has vulnerabilities, in which the only greatest safeguard is to never power them on... which is quite silly too as you'd never benefit from their usage. It matters not if it''s an IoT device, an OS (no matter age, usage numbers, or vendor,) or any other app or piece of data.

    You are correct though about the need to prioritize security... but I would hope the benefits of such prioritization would be felt much much sooner than next year or the next contest.
    Reply
  • Dosflores
    There's something I don't like about Pwn2Own: teams are allowed to target any browser. I think it would be more interesting if you could only attack a given browser each day. Otherwise, it makes sense for teams to target the weakest browsers, which obviously means Edge and Safari, because their update processes are merged with their respective OS updates. And after the Microsoft February updates fiasco, it would have been silly not trying to obliterate Edge.

    So, yeah, we know Edge and Safari have lots of vulnerabilities, but we can't be sure Chrome and Firefox don't have their share.
    Reply
  • Stubbies
    And Microsoft thinks I'm crazy for still running Windows 7 with Chrome....
    Reply
  • buscseik
    I agree that, this competition should be managed different way like it was mentioned previously. E.g.: Teams have 1 day for each browser...
    You can say harder to hack Chrome, but in other hand Google collect information about you every second, and nobody thinks that is a security issue :). If someone else collect information about you, than it is a security issue.

    Just a simple example: Everyone agree that private mailing is one of the number one privacy object. Possibly all of you noticed your android phone will notice you about upcoming travel.
    Have you been every thinking about it how your phone knows about your upcoming travel? If a bot reading your email for this information at Google, what is the guarantee there is no other bot at Google that reading your email for other private information about you?
    Reply
  • buscseik
    I agree that, this competition should be managed different way like it was mentioned previously. E.g.: Teams have 1 day for each browser...
    You can say harder to hack Chrome, but in other hand Google collect information about you every second, and nobody thinks that is a security issue :). If someone else collect information about you, than it is a security issue.

    Just a simple example: Everyone agree that private mailing is one of the number one privacy object. Possibly all of you noticed your android phone will notice you about upcoming travel.
    Have you been every thinking about it how your phone knows about your upcoming travel? If a bot reading your email for this information at Google, what is the guarantee there is no other bot at Google that reading your email for other private information about you?
    Reply