Privacy Alert Hackers cook god-mode remote exploits against Edge, VMware in world-first

Venustus

Level 59
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Dec 30, 2012
4,819
Power of Community Hackers have twice completely compromised Microsoft Edge operating on Windows 10 Red Stone 1 and for the first time twice broken VMWare Workstation without user interaction.

The bugs landed via SYSTEM-level remote code execution while the second VMware hacks could also be performed remotely.

The four hacks were demonstrated at the PwnFest 2016 event held at the Power of Community security conference in Seoul on Thursday, with details to be provided to vendors and kept under wraps.

It is a run of hacks against major platforms including the new Google Pixel running Android version 7 (Nougat), Adobe Flash via Microsoft Edge on Windows 10 Red Stone 1, and Apple Safari on MacOS Sierra.
lokihardt_8734634.jpg

Junghoon Lee, aka LokiHardt, shows his successful Edge exploit. Darren Pauli / The Register.

A team at Beijing vulnerability firm Qihoo 360 successfully popped Edge on Windows 10, as did highly talented South Korean hacker Lokihardt, the latter's exploit being successful after only 18 seconds.

Both earned $140,000 for gaining SYSTEM-level code execution on Windows Edge.

Another Qihoo hacker team and Lee both compromised VMware Workstation 12.5.1 in the world's first attacks against the platform, bagging $150,000 for the exploits.

The Qihoo team told Vulture South that it took six months from March to brew the trio of chained vulnerabilities including a possible use-after-free, confirmed out-of-boundary read, and out-of-boundary write exploits.

Qihoo had about 30 hours to rework their Edge bug after Microsoft squashed three of their four vulnerabilities in its Patch Tuesday run just before the event.

The Register will report on successful hacks throughout the two-day conference.

The hacking teams should be expected to succeed. ®

Darren Pauli travelled to Seoul as a guest of Power of Community.
 
Last edited by a moderator:
W

Wave

It is a good thing that these hackers have identified vulnerabilities in software like VMWare Workstation and successfully exploited the software using these vulnerabilities because it now gives VMWare the chance to help strengthen their product further - but somewhere out there, there will be someone capable of bypassing the software after the new patches, and this will go on forever. Why? Because nothing is fully secure.

We should be thankful that the hackers are good people and not bad people because if such vulnerabilities were used for malicious purposes, who knows what the damages could have been.

This is why Edge should be patched every 2 weeks like Chrome and Firefox.

Ideally, the major browsers should be patched once a week.
What would be the point in it being patched every 2 weeks if Microsoft have no patches to release? Patching vulnerabilities is not something that can just be done, it requires care and effort to help prevent future problems after the patch, it needs to be done properly.

Patches should be released as they are completed, not in batches with multiple patches (not every 2 weeks, not every month, not every two months) - this way it ensures that the end-user is more secure more often than not, but no matter how many patches you put out there, there will always be a way around it somehow.

(Hackers are more and more young, or it is me that is getting more and more ... old ? :D)
Both - we grow older by the seconds in the minutes which are in the hours of the day.

Hackers are becoming younger and younger due to the extensive information on specific topics widely available on the internet for free, and of course if you come from a wealthy background then you will have even more resources due to the money being spent on proper educators. Practise makes perfect.

Hacking is like an art - it takes hard work and dedication for good results, same as anything else you do in life. Anything can be hacked, the same way that any fighter in fighting sports can be beaten via mixing up combinations and tricking them out.
 

Entreri

Level 7
May 25, 2015
342
What would be the point in it being patched every 2 weeks if Microsoft have no patches to release? Patching vulnerabilities is not something that can just be done, it requires care and effort to help prevent future problems after the patch, it needs to be done properly.

Patches should be released as they are completed, not in batches with multiple patches (not every 2 weeks, not every month, not every two months) - this way it ensures that the end-user is more secure more often than not, but no matter how many patches you put out there, there will always be a way around it somehow.

I understand your point, however, without deadlines very little would be accomplished. I applaud Google and Mozilla for their 2 week update cycle.
 
W

Wave

I understand your point, however, without deadlines very little would be accomplished. I applaud Google and Mozilla for their 2 week update cycle.
No, they could work on patching vulnerabilities as they find them/as they are identified by third-parties and reported to them, and release them as the patching has been completed and testing of the patch gave positive, successful results. As opposed to storing patches which may have been fixed over the course of a few days and waiting additional time to release, just so it is in a packed release... Why? It means customers are safe-guarded against present/known vulnerabilities quicker. I'd rather have a vendor release more updates so I become better protected quicker than have them all released at a later date, since in-between the deadline time I may be infected by malware which will exploit a vulnerability which they had already patched but not released the patch for yet.

As well as this, giving a deadline won't actually help. The engineers need to be passionate about wanting to fix the vulnerabilities and this will provide motivation for them to do good work. If you sit someone down and give them a short-timed deadline it will cause them to end up rushing work eventually and this can lead to mistakes or making the work useless. It's not about quantity, it's about quality.

When you are patching vulnerabilities or designing how a system works, you should do it properly. It's like getting a haircut, you don't rush the barbers or you end up with a low quality haircut... When you are painting a picture you spend the time to do it properly, you don't rush it so it is left horrible and not as good. The same logic applies to patching vulnerabilities.

Other vendors may take longer to patch vulnerabilities, but for all you know this could be because they are spending more time focusing on the issue, and trying to find the best possible method they can to fix the vulnerability. For all we know, rushed vendors like Google and Mozilla (2 week deadline, it's rushed) can make mistakes, leading to even more potential problems. It's like a broken wall so you cover the crack with duck-tape, but the crack is still there and vulnerable.

As I said earlier in this post: it's not about quantity, it's about quality. ;)