14 DAY TRIAL // Microsoft Edge, the new default browser in Windows 10, was designed by the Redmond-based software giant as a faster, more reliable and more secure successor to Internet Explorer with the goal of becoming a worthy alternative to Google Chrome and Mozilla Firefox.
But as far as security goes, there’s still plenty of room for improvements, it seems, as Microsoft Edge was hit hardest at the Pwn2Own hacking competition this month.
Specifically, Microsoft Edge was hacked no less than 5 times, as most of the teams participating in the contest focused on Redmond’s new browser. For what it’s worth, Google Chrome was also a target, but the browser was almost impossible to hack in the allocated time.
The Microsoft Edge war
In the two days of the contest, five different teams managed to break into Microsoft Edge, one on the first day and another four on the second
Team Ether from Tencent Security was awarded $80,000 for hacking Microsoft Edge with arbitrary code in the long-praised Chakra JavaScript engine. Team Lance and Team Sniper, also from Tencent Security, received another $55,000 each for hacking the browser on the second day of the contest with use-after-free (UAF) vulnerabilities in the Chakra engine.
Independent research Richard Zhu also discovered two UAF security flaws in Edge and in Windows kernel which he used to build an exploit for hacking the browser, securing a $55,000 reward as well.
A team from 360 Security hacked Microsoft Edge with what is called a virtual machine escape using a cocktail of bugs in Microsoft software, including a heap overflow in Edge, a Windows kernel flaw and an issue in VMWare Workstation.
For what it’s worth, Google Chrome proved to be the hardest to break into at Pwn2Own this year, as only one Team Sniper from Tencent Security got close to hacking it, but failed to because it ran out of time.
This doesn’t necessarily mean that users are exposed to attacks, as Microsoft is expected to fix all these flaws with Edge updates before the Windows 10 Creators Update launches next month.