During the celebration of the Pwn2Own 2018 event, popular as well as widespread throughout the world, Internet browsers Microsoft Edge, Firefox and Safari, were the preferred targets for the “white glove hackers” attendees.
And in these times, everything related to web browsers acquires a special significance when it comes to security, as in the aforementioned Pwn2Own. Well, this year Richard Zhu was the one who started the execution of an exploit of “Windows kernel Elevation of Privilege” or EoP, directed to the proposal of Mozilla Firefox, breaking the security of the software in his first attempt.
With all this what he achieved was a writing out of bounds OOB in the browser itself, which led to an overflow of memory in the Windows kernel, something that gave the “white glove hacker” a prize of 50,000. Keep in mind that Richard Zhu himself received 120,000 in the edition of the year in Pwn2Own.
At the same time, the tech giant Apple’s Safari web browser was the next target on the list. This time Markus Gaasedelen, Nick Burnett and Patrick Biernat of Ret2 Systems, were the ones who managed to compromise the browser on the fourth attempt with an EoP in the macOS kernel. Contrary to what happened in the previous case, the contest requires that successful hacks to be demonstrated in a maximum of three attempts, so they were not selected to receive a prize.
Pwn2Own 2018 highlights the security of some web browsers
However, they can claim that, instead, the new detected error was immediately revealed to the tech giant Apple and will be corrected with a software update in a short time. Following Safari, it was hacked faster by Alex Plaskett, Georgi Geshev and Fabi Beterke of the MWR labs, who managed to break the browser’s security with a stack buffer overflow to obtain code execution permissions. For all this, the team won a prize of 55,000 after its successful attack.
In this way, we can say that Microsoft Edge, Apple Safari and Mozilla Firefox have been hacked during the last Pwn2Own contest this year, so updates are expected soon for the three browsers in order to solve these failures as soon as possible.
Of course, we must bear in mind that all vulnerabilities are disclosed privately to the companies involved so that they then begin the development of the corresponding patches for everyone.