Microsoft Edge was pwned twice while VMware WorkStation 12.5.1. was also compromised — In return, the hackers received a large amount of money.
At the Power of Community security conference that is being held in Seoul, Thursday was the day the security community was waiting for as it was the PwnFest 2-16 event day. At then event JungHoon “Lokihardt” Lee, a security researcher from South Korea and Beijing-based security firm Qihoo 360’s team revealed the two different ways with which hackers could exploit vulnerabilities in Microsoft Edge browser. The teams used the browser that ran on Red Stone1, which is the 64-bit version of Windows 10 Anniversary Edition.
PwnFest offers hackers and security firms a chance to showcase their talents regarding how the vulnerabilities on specific platforms can be used by cyber-criminals. A cash prize is offered to the successful participants and the good thing is that the platform developers learn about prevailing in their software or systems. The platforms included in the list are Google Pixel running on Nougat (Android Version 7), Apple Safari running on MacOS Sierra and Adobe Flash via Microsoft Edge running on Red Stone 1.
The target platforms and the cash reward offered against each are listed below:
The hackers managed to fully compromise Microsoft Edge twice and also broke VMWare Workstation twice without the involvement of user interaction. The VMWare hack was also performed remotely and a virus was introduced to the system through SYSTEM-level remote code execution. Qihoo was given 30 hours to rework the Edge bug.
Both Lee and Qihoo 360 were awarded $140,000 for obtaining SYSTEM-level code execution on Windows Edge and also bagged $150,000 for compromising VMware WorkStation 12.5.1. According to the team from Qihoo 360, it took them 6 months starting from March to identify the chained vulnerabilities. These included out-of-boundary write exploits, probably use-after-free, and confirmed out-of-boundary read.
Lee successfully exploited security holes present in Microsoft Edge even faster than Qihoo team as he took 18 seconds only. The exact duration required by Qihoo wasn’t disclosed. Currently, the details about the exploits haven’t been made public but the platform owners and vendors have been informed about them.