Contestants at this year's Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days.
[...] "We used a JavaScript engine bug within Microsoft Edge to achieve the code execution inside the Edge sandbox, and we used a Windows 10 kernel bug to escape from it and fully compromise the guest machine," Qihoo 360 Executive Director Zheng Zheng wrote in an e-mail. "Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one. All started from and only by a controlled a website."
[...] Any hack that can break out of a widely used virtual machine is generally considered significant. The one described Friday is made all the more impressive because it works by exploiting Edge, which is regarded among security professionals as one of most challenging browsers to exploit. Typically, such remote-code exploits require two or more vulnerabilities to be exploited in unison. The requirement appears to be why the Qihoo team combined the heap overflow exploit with the Windows kernel hack. The description sets up a scenario in which malicious websites can not only compromise a visitor's virtual machine, but also the much more valuable host machine the VM runs on. At last year's Pwn2Own, contestants didn't attempt to target VMWare, an indication reliable exploits were probably worth more than the $75,000 prize that was offered at the time.
Friday's success underscores the central theme of Pwn2Own, that no operating system or application is immune to hacks that thoroughly compromise its security.
Source: ArsTechnica
(Score: 1, Funny) by Anonymous Coward on Monday March 20 2017, @11:48PM (8 children)
Run a virtual machine inside a virtual machine and you'll be safe.
VM's all the way down!
(Score: 0) by Anonymous Coward on Monday March 20 2017, @11:54PM (7 children)
Doesn't a train smash through the wall and run you over if you do that?
(Score: 1) by Scruffy Beard 2 on Tuesday March 21 2017, @12:27AM (6 children)
No, only if you say "I like trains." a little too lou
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @01:15AM (5 children)
BOOO! You ruined the joke. It should read:
No, only if you say "I like trains." a little too lou^R?#C{-_EZ:oUPfL-"KgNO CARRIER
(Score: 1) by Scruffy Beard 2 on Tuesday March 21 2017, @02:10AM (4 children)
I have not used a modem connection in about 2 years. And then, I did not use it to post on forums.
Used is as out-of band connectivity party just to say I actually used a modem in 2015 or so.
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @02:36AM (1 child)
What's a "modem"?
(Score: 1) by Scruffy Beard 2 on Tuesday March 21 2017, @08:01AM
Before the modern web, people dialled into central computers using VT52 or VT100 emulation.
If there was noise on he ;*ne()(U()*(*0-230?NO CARRIER
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @10:48AM (1 child)
Are you sure? [wikipedia.org] Really? [wikipedia.org] Absolutely? [wikipedia.org]
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @06:01PM
Of course I'm sure. I use RFC 6214 (with fallback to RFC 1149), you insensitive clod!
(Score: 0) by Anonymous Coward on Monday March 20 2017, @11:52PM
One of the side benefits of MS's intentionally shitty coding is that some hackers get big paydays? Ha! Now if only we can get the "bugs" exposed faster than they can patch them in....
(Score: 1, Insightful) by Anonymous Coward on Tuesday March 21 2017, @12:04AM (17 children)
Same company, same culture, same process, same application, new implementation.
Their advertising for it should have led with why they believe this will go differently to IE. Maybe they did learn the value of security, maybe their culture or process did change sufficiently, I don't know and I don't care enough to find out. It's their marketing teams job to convince me this will not be IE by another name, maybe I haven't seen the ads, but I'm not convinced and don't have enough trust in M$ to use it if I was.
(Score: 1, Informative) by Anonymous Coward on Tuesday March 21 2017, @12:07AM (6 children)
Didn't even read the first sentence before commenting.
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @12:11AM (4 children)
Why? You're right. Windows leaks more than a door.
(Score: 2) by bob_super on Tuesday March 21 2017, @12:32AM (3 children)
That is major progress, considering how it used to leak like a colander.
(Score: 2) by mendax on Tuesday March 21 2017, @12:35AM (2 children)
Leaking like a colander means they must have been under the influence of the Flying Spaghetti Monster and his great noodly appendages. :-)
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 1) by anubi on Tuesday March 21 2017, @07:08AM (1 child)
They were and still are....
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @01:40PM
That's about as funny as a screen door on a battleship. Sad!
(Score: 2) by jdavidb on Tuesday March 21 2017, @05:56PM
Didn't even read the first sentence before commenting.
That's just part of our culture, here! :D
And truthfully it sometimes does make for some useful comments.
ⓋⒶ☮✝🕊 Secession is the right of all sentient beings
(Score: 3, Interesting) by khallow on Tuesday March 21 2017, @01:20AM (9 children)
The one described Friday is made all the more impressive because it works by exploiting Edge, which is regarded among security professionals as one of most challenging browsers to exploit.
So true, they had to tell us twice. I notice the comments don't appear to have any mention of this obvious shilling. I wonder if they've been cleaning out/banning naysayer comments again?
(Score: 2) by Runaway1956 on Tuesday March 21 2017, @02:07AM (6 children)
I've never even looked at this "Edge" crap. Is it similar to IE, in that, IE was almost part of the OS? I experimented with Windows long ago. It was *possible* to remove IE from the Windows installation disk. Doing so ensured that Windows was incapable of performing some tasks. Those tasks didn't seem "essential" for an operating system, but there were some odd glitches here and there. If I remember correctly, Windows help files (.chm) wouldn't work, rendering images was kinda funny - can't remember what else. But, of course, you could install third party software to do whatever didn't seem right.
The philosophy that allows embedding an application so deeply into the OS is simply wrong.
So, if Edge is similar, then Edge is also very wrong.
(Score: 3, Informative) by Arik on Tuesday March 21 2017, @04:18AM (3 children)
With Windows 10 IE is no longer pushed, Edge is instead. IE remains, accessible and vulnerable, for backward compatibility with Windows and third party components that rely on it, but you have to go searching for it to find it. Edge is supposed to be more secure, because it ditches all the old ActiveX crap that caused so much trouble with IE back in the day. Nonetheless, it's extremely advertiser friendly so of course it's not really any more secure. So it gets hijacked in new and interesting ways.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Runaway1956 on Tuesday March 21 2017, @02:04PM (2 children)
Actually, I did my experiments, and work, on Windows XP. The same steps worked on Longhorn, which was later known as Vista. A quick search indicates that NTLite will perform all of the same cusomizations that nLite offered on WinXP.
https://www.ntlite.com/discussions/#/discussion/246/tutorial-for-creating-a-700mb-windows-7-or-8-iso-and-install-in-a-vm [ntlite.com]
IE is removable, but it is done during the creation of your installation media, NOT after installation.
(Score: 2) by Arik on Tuesday March 21 2017, @03:51PM (1 child)
From the domain I'm guessing that's about NTLite though, a program I have had some experience with. With 98lite and a 98SE disk you could do exactly what you say. IIRC even with NTLite you could not really get the desired results out of XP. You're either *only* removing the default UI but leaving all the guts accessible and exploitable, OR you break a LOT of system stuff.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @05:29PM
Hey, I know 98-Lite. That's the radio station I use to get my Kenny G. fix.
(Score: 1) by khallow on Tuesday March 21 2017, @05:50AM
Is it similar to IE, in that, IE was almost part of the OS?
It's the built in web browser installation tool. Just like IE.
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @10:52AM
Nor did I, for the simple reason that I wouldn't install the operating system required for it.
(Score: 1) by corey on Wednesday March 22 2017, @01:08AM (1 child)
Do you have any citations?
(Score: 1) by khallow on Friday March 24 2017, @10:07AM
(Score: 3, Interesting) by mendax on Tuesday March 21 2017, @12:45AM (1 child)
I don't know about you but I think TFA describes quite a clever, if improbable in the wild, hack. I like elegance in all things and this is elegant.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 2) by Nobuddy on Tuesday March 21 2017, @10:36PM
why improbable in the wild? The combo of Edge, Windows 10, and VMWare is not at all uncommon. And compromised sites are far more common than that.
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @05:37AM (2 children)
Exploiting windoze is like beating on a handicapped person, but the compromise of the VMware host is much more serious.
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @08:19AM (1 child)
Virtualizatoion is great for streamlining management, but I always laugh when people suggest that it increases security. Back when VMware ESX came out, in the first test build I did, I saw it leaking ethernet packets between virtual interfaces. I'm sure VMware is working hard to keep things secure, but I still don't trust them more than I would Microsoft. Compartmentalization may give the impression of isolation, but you have to be able to trust the hypervisor to actually keep everything separate. In the end, the additional complexity of running within a hypervisor negates the security benefits of having simplified each individual guest. It is an additional attack surface, and NOT an extra layer in your defence-in-depth.
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @11:04AM
It is another layer, because AFAIU if you break out of the virtual machine, you're still at the user level of the host OS under which the VM runs, so you've got to do another exploit to completely take over the machine. Say you need to use software that only runs on Windows, then you can run Windows in a VM and use Linux as the underlying operating system, and the hacker who manages to compromise Windows and the VM still has not compromised your complete system. Moreover since the number of tasks you actually do on the host OS is rather limited, you can crank up the security measures (like SELinux) to the maximum on the host OS without actually affecting usability too much.
(Score: 2, Insightful) by Anonymous Coward on Tuesday March 21 2017, @02:20PM
Do practice safe hex and turn JS off in your browser.