Mozilla Firefox and Microsoft Edge Hacked at Pwn2Own

CyberTech

Level 44
Thread author
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
Mozilla Firefox and Microsoft Edge were both hacked in the second day of the Pwn2Own hacking contest, and in the case of the Windows 10 browser, researchers came up with a super-complex and clever approach to escape a virtual machine and get inside the host.

Amat Cama and Richard Zhu of Fluoroacetate were the first to attempt to break into Mozilla Firefox using a JIT Bug and an out-of-bounds write in the Windows kernel.

This technique allowed to run code at system level, technically taking over the machine completely after pointing Firefox to a crafted website. The two were received a price of $50,000.

Mozilla’s browser was also hacked by Niklas Baumstark, who escaped the sandbox with a mix of a JIT bug and a logic bug. The researcher eventually obtained the same rights as the logged-in user, which could obviously provide full control of the host in the case of an administrator account. Baumstark received $40,000 for his exploit.

Microsoft Edge exploits
Fluoroacetate also hacked Microsoft Edge with a more complex attack that earned them $130,000.

“Starting from within a VMWare Workstation client, they opened Microsoft Edge and browsed to their specially crafted web page,” Zero Day Initiative explains.

“That’s all it took to go from a browser in a virtual machine client to executing code on the underlying hypervisor. They started with a type confusion bug in the Microsoft Edge browser, then used a race condition in the Windows kernel followed by an out-of-bounds write in VMware workstation.”

Arthur Gerkis of Exodus Intelligence also managed to exploit Microsoft Edge with a double free bug in the renderer mixed with a logic bug to escape the sandbox. His successful attack against the Windows 10 browser brought him $50,000.

The vulnerabilities that the researchers used to break into the two browsers have been reported to Mozilla and Microsoft and they should be patched in the coming updates.
 

Entreri

Level 7
Verified
May 25, 2015
342
Anything made by one human (or team/s), another can hack.

This is will AI's in the future. Certainly humans will be unable to hack advanced AI's.
 

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
Anything made by one human (or team/s), another can hack.

This is will AI's in the future. Certainly humans will be unable to hack advanced AI's.
I will re-iterate what you wrote. AI made by humans, for humans, to hack other human's electronic products(HW and SW) .
I understand Mozilla has already issued a patch based on the hack. No word on Microsoft doing the same.
Maybe tomorrow we might get it.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top