Firefox, Edge and Safari fall prey to Pwn2Own hackers

At the Pwn2Own 2018 event, security experts managed to exploit new vulnerabilities in the Firefox, Edge and Safari browsers. With that, they managed to win $267,000 of the $2 million prize pool.

On Wednesday, researcher Richard Zhu, aka fluorescence, demonstrated a sandbox escape for Safari, but he couldn’t get his exploit to work within the allotted time of thirty minutes. He had more success attempting to crack Edge, using a use-after-free vulnerability coupled with an integer overflow in the kernel. Safari later fell victim to the first Pwn2Own day, through a combination of a JIT optimization bug, a macOS sandbox exit vulnerability, and kernel overwrite. Hacker Samuel Groß then had a ‘pwned’ text appear on the Touch Bar of the MacBook Pro.

On Thursday it was again Zhu who this time cracked Firefox with an out-of-bounds vulnerability followed by an integer overflow via a kernel bug in Windows to get out of the sandbox. Three hackers then managed to successfully attack Safari again. That only worked on the fourth attempt, where only three attempts are allowed. Another team, from MWR labs, then managed to hack into regulatory Safari after all, via a heap buffer overflow and a uninitialized stack variable in macOS.

Zhu eventually became Master of Pwn with twelve points and $12,000 in prize money. The competition is held annually by Trend Micro’s Zero Day Initiative, which pays for the vulnerabilities and passes them on to the appropriate software company, which has 90 days to patch them.

It was striking this year that Chinese researchers withdrew after the Chinese government indicated that they did not want them to share vulnerabilities via third parties outside of China, Bleeping Computer writes. China wants the researchers to contact the supplier directly. In previous years, Chinese contestants regularly won.