14 DAY TRIAL // Microsoft’s and Apple’s browsers have been targeted by white hat hackers at the Pwn2Own 2018 competition, and both applications were breached during the first day of the event.
Researcher Richard Zhu, also known as fluorescence, as well as Samuel Groß (saelo) targeted Apple’s Safari, but the first failed to breach the browser with a sandbox escape after not getting his exploit working within the time allotted.
On the other hand, saelo, who is a member of the phoenhex team, pwned Safari with a macOS kernel EoP (Elevation of Privilege) and used a three-bug chain for his attack. This attack was rewarded with $65,000.
After failing to exploit Safari, Richard Zhu also targeted Microsoft Edge with a Windows kernel EoP and used two UAFs in the browser combined with an integer overflow in the kernel to breach the browser. He earned $70,000 following this successful exploit.
Also on the first day of the event, Niklas Baumstark (_niklasb) from the phoenhex team targeted Oracle’s VirtualBox, but he managed just a partial hack, so he was rewarded with $27,000.
Browser security
While these hacks could make people believe that Microsoft Edge and Safari aren’t the most secure browsers, it’s important to know that all exploits are based on very complex attacks that are then privately disclosed to the parent companies for fixing.
Users are thus not exposed in any way, with developing firms typically shipping security patches addressing the exploited vulnerabilities shortly after Pwn2Own.
Microsoft uses the high level of security offered by Edge as one of the main catalysts to convince more users to give it a try, especially since it’s bundled as the new default in Windows 10.
On the other hand, such efforts have failed until now, as Microsoft Edge is only used by approximately 5 percent of the users worldwide as their daily driver, according to third-party data. Google Chrome is the number one browser with more than 60% share.