Microsoft Edge was hacked twice at this year’s PwnFest Microsoft Edge, which the Redmond-based software giant praised on several occasions for its high level of security, was hacked twice at PwnFest, with one of the attacks being successfully completed in no less than 18 seconds.
Security experts from Chinese firm Qihoo 360 managed to steal the show after they managed to break into Microsoft Edge and WMware Workstation without user interaction, The Register is reporting.
In the case of Microsoft, there were two successful exploits, both of which were based on SYSTEM-level code execution in the browser. One of the vulnerabilities was exploited by a security researcher team at Qihoo 360, while the other one was discovered by South Korean hacker Lokihardt, who managed to break into the browser in just 18 seconds.
Their efforts were rewarded with $140,000, but details of the exploits were submitted to Microsoft in order to patch them and prevent other successful attempts in the future.
According to the same report, a Qihoo team also managed to hack VMware Workstation 12.5.1 and received an award of $150,000 for discovering the exploits.
Patch Tuesday fixes
Microsoft has already patched some security flaws that the hackers planned to use in their exploits and the company will most certainly do the same with the other ones that allowed the hackers to break into the browser, but given that details have been shared privately, no user is put at risk in the meantime.
For example, the November 2016 Patch Tuesday rollout brought us MS16-129, which is a cumulative security update for Microsoft Edge that blocks Remote Code Execution flaws, and likely some of which were supposed to be used at PwnFest (although exploiting them requires user interaction, whereas hackers’ attempt didn’t involve such a thing).
“This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights,” Microsoft explains.
The bottom line here is that there’s no hackerproof software out there no matter the developing company and this is why it’s always critical to run up-to-date applications on your computer.