Microsoft Edge, Apple Safari and Oracle VirtualBox Hacked at Pwn2Own

Microsoft Edge, Apple Safari, and Oracle VirtualBox have been hacked on the first day of the Pwn2Own 2018 competition. White hats had managed to hack, happening these days together with the CanSecWest conference in Vancouver, Canada.

About four entries were registered on the first day of Pwn2Own 2018. Initially, Richard Zhu endeavored to accomplish a sandbox outflow on Apple’s Safari web browser, but unsuccessful to perform it in thirty minutes time period. However, he managed to hack Microsoft Edge practice two use-after-free vulnerability in the browser and an integer excess in the Windows kernel. This effort, which contained alternative his activity on the spot, and got some $70,000.

Niklas Baumstark from the Phoenhex team had a partly effective access beside Oracle VirtualBox. While he did accomplish to implement code utilizing out-of-bounds read and time of check to time of practice (TOCTOU) vulnerabilities, he was presented the sum of $27,000 of the maximum of $35,000. Consequently, Samuel Groß (aka saelo) of the Phoenhex team made a sum of $65,000 for implementing the code in Safari utilizing a JIT optimization flaw in the website browser, a rational bug in macOS, and a kernel overwrites susceptibility.

Three of the attempts are only planned for the second day of the occurrence, involving two that aim Safari and one that marks Mozilla Firefox. Contestants received a total amount of sum $162,000 on the day, and they will possibly not make much more amount on the second day, except their activities involve a virtual machine outflow via a kernel opportunity escalation susceptibility, for which there is a bonus of $50,000 – $70,000. In association, the previous year’s occasion had approximately thirty entries and spanned through three days. Contestants made about more than $800,000 for a record-breaking 51 susceptibilities.

The Zero Day Initiative, which manages Pwn2Own, stated the count of white hat cybercriminals that listed was primarily higher, but some of them were enforced to remove from the competition for different causes, involving owing to their susceptibilities being fixed by Microsoft with the modern security updates. The Zero Day pronounced this year in January, Microsoft and VMware financed a prize pool of $2 million for Pwn2Own 2018.

Microsoft appears pleased that contestants could not hide its Windows Defender Application Guard isolation defense while the Microsoft Edge browser was threated on the first effort. Avoiding the WDAG container could have made researchers between $10,000 and $250,000 at Pwn2Own.

Leave a Reply

Your email address will not be published. Required fields are marked *