The Zero Day Initiative (ZDI), founded by TippingPoint, is a program for rewarding security researchers for responsibly disclosing vulnerabilities. The latest Pwn2Own competition was held last week and Microsoft Edge browser was successfully several times by the contestants.
On Day 1 of the competition, Tencent Security – Team Ether targeted Microsoft Edge and they succeeded by using an arbitrary write in Chakra and escaped the sandbox using a logic bug within the sandbox. This netted them a cool $80,000.
On Day 2, Tencent Security – Team Lance also successfully exploited Microsoft Edge by using a UAF in Chakra then elevated their privilege to SYSTEM by using a UAF in Windows kernel. This garnered them $55,000.
Tencent Security – Team Sniper (Keen Lab and PC Mgr) completed their exploit of Microsoft Edge with a UAF in Chakra and escalated to SYSTEM-level privileges through a UAF in the Windows kernel. This won them $55,000.
A team from 360 Security successfully exploited Microsoft Windows with an out-of-bounds (OOB) bug in the Windows kernel. This netted them $15,000.
Finally, Tencent Security – Team Sniper (Keen Lab and PC Mgr) elevated privileges in Microsoft Windows through an integer overflow in the kernel. This earned them $15,000.
On Day 3, a team from 360 Security attempted a full virtual machine escape through Microsoft Edge and they succeeded it first for the Pwn2Own competition. They leveraged a heap overflow in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. These three bugs earned them $105,000. Their code demonstration needed only 90 seconds!
Finally, Richard Zhu (fluorescence) targeted Microsoft Edge with a SYSTEM-level escalation. He leveraged two separate use-after-free (UAF) bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel. This garnered him $55,000.
It is important to keep your Windows 10 device updated with latest updates from Microsoft to protect your device from vulnerabilities like the above.