Contestants at this year's Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days.
[...] "We used a JavaScript engine bug within Microsoft Edge to achieve the code execution inside the Edge sandbox, and we used a Windows 10 kernel bug to escape from it and fully compromise the guest machine," Qihoo 360 Executive Director Zheng Zheng wrote in an e-mail. "Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one. All started from and only by a controlled a website."
[...] Any hack that can break out of a widely used virtual machine is generally considered significant. The one described Friday is made all the more impressive because it works by exploiting Edge, which is regarded among security professionals as one of most challenging browsers to exploit. Typically, such remote-code exploits require two or more vulnerabilities to be exploited in unison. The requirement appears to be why the Qihoo team combined the heap overflow exploit with the Windows kernel hack. The description sets up a scenario in which malicious websites can not only compromise a visitor's virtual machine, but also the much more valuable host machine the VM runs on. At last year's Pwn2Own, contestants didn't attempt to target VMWare, an indication reliable exploits were probably worth more than the $75,000 prize that was offered at the time.
Friday's success underscores the central theme of Pwn2Own, that no operating system or application is immune to hacks that thoroughly compromise its security.
Source: ArsTechnica
(Score: 1, Insightful) by Anonymous Coward on Tuesday March 21 2017, @12:04AM (17 children)
Same company, same culture, same process, same application, new implementation.
Their advertising for it should have led with why they believe this will go differently to IE. Maybe they did learn the value of security, maybe their culture or process did change sufficiently, I don't know and I don't care enough to find out. It's their marketing teams job to convince me this will not be IE by another name, maybe I haven't seen the ads, but I'm not convinced and don't have enough trust in M$ to use it if I was.
(Score: 1, Informative) by Anonymous Coward on Tuesday March 21 2017, @12:07AM (6 children)
Didn't even read the first sentence before commenting.
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @12:11AM (4 children)
Why? You're right. Windows leaks more than a door.
(Score: 2) by bob_super on Tuesday March 21 2017, @12:32AM (3 children)
That is major progress, considering how it used to leak like a colander.
(Score: 2) by mendax on Tuesday March 21 2017, @12:35AM (2 children)
Leaking like a colander means they must have been under the influence of the Flying Spaghetti Monster and his great noodly appendages. :-)
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 1) by anubi on Tuesday March 21 2017, @07:08AM (1 child)
They were and still are....
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @01:40PM
That's about as funny as a screen door on a battleship. Sad!
(Score: 2) by jdavidb on Tuesday March 21 2017, @05:56PM
Didn't even read the first sentence before commenting.
That's just part of our culture, here! :D
And truthfully it sometimes does make for some useful comments.
ⓋⒶ☮✝🕊 Secession is the right of all sentient beings
(Score: 3, Interesting) by khallow on Tuesday March 21 2017, @01:20AM (9 children)
The one described Friday is made all the more impressive because it works by exploiting Edge, which is regarded among security professionals as one of most challenging browsers to exploit.
So true, they had to tell us twice. I notice the comments don't appear to have any mention of this obvious shilling. I wonder if they've been cleaning out/banning naysayer comments again?
(Score: 2) by Runaway1956 on Tuesday March 21 2017, @02:07AM (6 children)
I've never even looked at this "Edge" crap. Is it similar to IE, in that, IE was almost part of the OS? I experimented with Windows long ago. It was *possible* to remove IE from the Windows installation disk. Doing so ensured that Windows was incapable of performing some tasks. Those tasks didn't seem "essential" for an operating system, but there were some odd glitches here and there. If I remember correctly, Windows help files (.chm) wouldn't work, rendering images was kinda funny - can't remember what else. But, of course, you could install third party software to do whatever didn't seem right.
The philosophy that allows embedding an application so deeply into the OS is simply wrong.
So, if Edge is similar, then Edge is also very wrong.
(Score: 3, Informative) by Arik on Tuesday March 21 2017, @04:18AM (3 children)
With Windows 10 IE is no longer pushed, Edge is instead. IE remains, accessible and vulnerable, for backward compatibility with Windows and third party components that rely on it, but you have to go searching for it to find it. Edge is supposed to be more secure, because it ditches all the old ActiveX crap that caused so much trouble with IE back in the day. Nonetheless, it's extremely advertiser friendly so of course it's not really any more secure. So it gets hijacked in new and interesting ways.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Runaway1956 on Tuesday March 21 2017, @02:04PM (2 children)
Actually, I did my experiments, and work, on Windows XP. The same steps worked on Longhorn, which was later known as Vista. A quick search indicates that NTLite will perform all of the same cusomizations that nLite offered on WinXP.
https://www.ntlite.com/discussions/#/discussion/246/tutorial-for-creating-a-700mb-windows-7-or-8-iso-and-install-in-a-vm [ntlite.com]
IE is removable, but it is done during the creation of your installation media, NOT after installation.
(Score: 2) by Arik on Tuesday March 21 2017, @03:51PM (1 child)
From the domain I'm guessing that's about NTLite though, a program I have had some experience with. With 98lite and a 98SE disk you could do exactly what you say. IIRC even with NTLite you could not really get the desired results out of XP. You're either *only* removing the default UI but leaving all the guts accessible and exploitable, OR you break a LOT of system stuff.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @05:29PM
Hey, I know 98-Lite. That's the radio station I use to get my Kenny G. fix.
(Score: 1) by khallow on Tuesday March 21 2017, @05:50AM
Is it similar to IE, in that, IE was almost part of the OS?
It's the built in web browser installation tool. Just like IE.
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @10:52AM
Nor did I, for the simple reason that I wouldn't install the operating system required for it.
(Score: 1) by corey on Wednesday March 22 2017, @01:08AM (1 child)
Do you have any citations?
(Score: 1) by khallow on Friday March 24 2017, @10:07AM