Microsoft Edge got hacked at Pwn2Own 2019, patch incoming

2 min. read

Published onMarch 25, 2019

published onMarch 25, 2019

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Security researchers hackedMicrosoft Edgeand Mozilla Firefox right and earned a cash prize of $270K atPwn2Own hacking event.

TheFirefox 66browserwas announced on March 19, so the company let friendly hackers to attack it in order to detect any potential securityvulnerabilities.

The researchers identified two issues in theweb browser. On the very next day, the company decided to release a patch to fix both of them in Firefox 66.0.1 update.

Those who are not aware ofPwn2Own, it is basically an annual hacking competition. It provides a great opportunity to security researchers so that they can demonstrate new zero-day bugs.

In return for their efforts, Trend Micro’s Zero Day Initiative (ZDI) rewards them with a handsome amount.

The@fluoroacetateduo does it again. They used a type confusion in#Edge, a race condition in the kernel, then an out-of-bounds write in#VMwareto go from a browser in a virtual client to executing code on the host OS. They earn $130K plus 13 Master of Pwn points.pic.twitter.com/mD13kozJLv

— Zero Day Initiative (@thezdi)March 21, 2019

Pwn2Own Roundup

The researchers who demonstrated newvulnerabilitiesin Oracle VirtualBox, Apple Safari and VMware workstation were awarded $240,000 on the first day of Pwn2Own 2019.

Moving towards the second day, ZDI awarded an amount of $270,000 to those researchers who identified new bugs inMicrosoft’s Edgeand Mozilla Firefoxbrowser.

This is how researchers managed tohack Edge:

That’s all it took to go from a browser in a virtual machine client to executing code on the underlying hypervisor. They started with a type confusion bug in the Microsoft Edge browser, then used a race condition in the Windows kernel followed by an out-of-bounds write in VMware workstation

Most importantly, thekernel escalation flaw in Firefox 66 was demonstrated by Richard Zhu and Amat Cama officially known as Fluoroacetate received an award for $50,000. Niklas Baumstark useda sandbox escape technique to exploit Firefox 66.0 and received an award of $40,000.

All of thesevulnerabilitieshave been reported to Microsoft and Mozilla, and the companies are working on thepatchesare expected to release in the next updates.

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

Microsoft Edge got hacked at Pwn2Own 2019, patch incoming#

Pwn2Own Roundup#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Microsoft Edge got hacked at Pwn2Own 2019, patch incoming

Pwn2Own Roundup