Pwn2Own is a white hacking competition held annually at the CanSecWest security conference. In this competition, contestants exploit widely used software and devices with previously unknown vulnerabilities. The name itself i.e. “Pwn2Own” is derived from the fact that the contestants must “pwn” or hack the software or device in order to “own” or win it.
This year, these white hackers targeted Microsoft’s Edge and Apple’s Safari browser. Unfortunately, both the browsers’ security was breached on the first day itself. Two researchers, Richard Zhu and Samuel Groß targeted Apple Safari. While Richard wasn’t able to exploit the browser within the allotted time, Samuel successfully breached the browser.
Samuel, who belonged to the Phoenhex team, breached Apple’s Safari with a macOS kernel EoP (Elevation of Privilege) and used a three-bug chain in order to successfully complete the attack. He was awarded $65,000 following the attack.
On the other hand, Richard Zhu who failed to breach Apple’s browser targeted Microsoft’s Edge. Richard was able to breach Edge with a Windows EoP and used two UAFs in the browser combined with an integer overflow in the kernel in order to successfully complete the attack. He was later awarded $70,000.
However, on the same day, Niklas Baumstark who also belonged to the Phoenhex team, made an attempt to attack Oracle’s Virtual Box. Although it was just a partial hack, he was rewarded $27,000.
What does this really mean?
While these attacks may bother some of our readers, there’s nothing really that you should be worried about. The attacks here are based on very complex exploits. These exploits are later disclosed privately to the parent company for the fix.
Microsoft and Apple may soon ship the patches for the vulnerabilities shortly after the Pwn2Own competition.
Security is Microsoft’s main catalyst in pushing Edge to its users in Windows 10. Microsoft uses a high level of security in its browser and it is baked deep inside the OS which is already very secure. However, Microsoft’s efforts in stirring users to Edge doesn’t seem to work. Edge still owns only 5% of the browser market. While Google Chrome still remains as the most popular browser with 60% of market share.
