What is Pwn2Own?
‘Pwn2Own’ is an annual held computer hacking contest head here at CanSecWest security conference. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. The contest serves to demonstrate the vulnerability of devices or the software in widespread use also provides a checkpoint on the progress made in security field.
Contestants this year at Pwn2Own 2017, in Vancouver just pulled off an unusual feat by compromising Microsoft’s well known Edge browser in a way that it escapes a virtual machine running on VMware Workstation .
Who Achieved This Hack?
This was achieved by a team from Chinese security firm Qihoo 360 by exploiting Edge browser and chained together two more other vulnerabilities and picked up massive $105,000 prize amount.
So How Did They Achieve The Feat?
They succeeded the above hack by leveraging a heap overflow in Microsoft Edge, creating a kind of confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. They backed it clearly in their blog post.
Another Exploit By Tencent Security
The second VMware Workstation escape was achieved by security analysts at Tencent Security. They succeeded the hack by chaining a Windows kernel use-after-free bug with a VMware Workstation info leak and an uninitialized buffer in VMware Workstation to go guest-to-host. They were also awarded with a whooping amount of $100,000 for chaining together second vulnerability.
It is also worth noting that Microsoft is well aware of the four zero-day vulnerabilities in it’s Edge and IE browsers that were being exploited in the wild.