Pwn2Own 2016: Windows, OS X, Chrome, Edge, Safari all hacked

Martin Brinkmann
Mar 20, 2016
Updated • May 22, 2018

The results of this year's Pwn2Own security contest are in and things are not looking good for Windows and Apple OS X, the browsers Safari, Edge and Chrome, and Adobe Flash as they have all been pwned by participating security teams.

Firefox was not part of the 2016 contest because it has not "made serious security improvements in the last year" according to Brian Gorenc, manager of Vulnerability Research at HPE, which sponsored the 2016 event together with TrendMicro.

Of the three web browsers that were attacked during the event, all three were exploited successfully by participating teams, often with the help of vulnerabilities in the operating systems they ran on, or Adobe Flash.

Pwn2Own 2016

Google Chrome fared the best of the three as it was attacked twice by participants but exploited successfully only once. The successful attack did not count fully though as the vulnerability used to attack Chrome had been reported to Google already.

All attacks on Microsoft Edge and Apple Safari were successful. Participants attacked Edge twice and Safari thrice during the two days of the contest.

In addition to these attacks, vulnerabilities in operating systems and Adobe Flash were revealed as well.

Six new Microsoft Windows, five new Apple OS X and four new Adobe Flash vulnerabilities were disclosed during the event.

Interestingly enough, all successful attacks during the 2016 Pwn2Own event gave the attacker system or root privileges, something that has not happened before in previous years.

Trend Micro released two videos --one for each day of the contest -- that summarized the attacks of each day and whether they have been successful.

Pwn2Own 2016 Day 1 Recap

Pwn2Own 2016 Day 2 Recap and Event Wrap-up

Companies have been informed about the vulnerabilities used during the contest, and it is likely that we will see patches be released shortly for at least some of them.

Closing Words

It is a bit unfortunate that Firefox and Linux were not included, but Firefox users, and users who use other browsers than the three that were included, may at least benefit from the newfound vulnerabilities in Microsoft Windows and Apple OS X, and if they use Adobe Flash, also in that program. (via Venturebeat)

Pwn2Own 2016: Windows, OS X, Chrome, Edge, Safari all hacked
Article Name
Pwn2Own 2016: Windows, OS X, Chrome, Edge, Safari all hacked
Pwn2Own 2016 saw successful attacks on the browsers Edge, Chrome, and Safari, and the operating system's Windows and Mac OS X.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Robert said on March 21, 2016 at 9:08 pm

    How many of these vulnerabilities actually worked with Windows 10 with SUA and UAC on max?

    1. Corky said on March 22, 2016 at 10:34 am

      As has already been explained all hacks where carried out using default configurations, how many vulnerabilities worked with Windows 10 with SUA and UAC on max would only be relevant if that was the default setting for Windows 10.

  2. BeatriZ Terez said on March 21, 2016 at 1:58 pm

    Great info.I have Windows Vista. msg from Google RE: Chrome.. “April it will no longer support Windows Vista”. Was going to choose Firefox or Opera. Had stopped using E9 since it didn’t work well with some programs switched to Chrome.. question: what should I switch to? Thank You.

    1. Martin Brinkmann said on March 21, 2016 at 2:07 pm

      Choose whichever browser suits you best. If you don’t know, try them both and base your decision on that. Both are updated regularly (including security updates), and both are an improvement over Internet Explorer 9.

  3. David said on March 21, 2016 at 11:04 am

    I remember how Opera always used to survive these tests when everyone else fails. Now with Opera gone, everyone fails. Great. Progress.

  4. CHEF-KOCH said on March 21, 2016 at 4:35 am

    Problem of all of these mentioned hacks, they need additional steps to work. Disabled UAC, infected/faked Browser build. Pre-hacks to get privileges and and and. So not hype it so much without mention that they are not particular usable behind a user which have a little bit brain.

    Just not click on everything, use UAC max, sandbox, patch system and the other well known stuff and you be secure. There is also a difference between vulnerable and social engineering, why hack if you get the necessary information much easier.

    1. Neal said on March 21, 2016 at 6:31 am

      The UAC was on default level, and it wouldn’t have matter if it was on max level, the exploits would have bypassed UAC at any settings. If I remember correctly, Windows 10 won’t allow you to use a any UWP app like Edge if you have UAC off, exactly b/c it would disable the sandbox that all UWP apps run in. Also all the software was updated including the os, browsers, plugins.

      That means by default the account was admin too that is the first this year, from the previous year I think they used standard account. I think that was a good decision and more realistic b/c most home Windows computer would follow that configuration.

      1. Neal said on March 22, 2016 at 7:26 am


        You can visit one of the many hacker blogs on the subject and it is not theoretical it has happened in the past, it is not shady either a lot of whitehats have written on the subject. I find it odd how MS has ingrained in the public that the privilege limitation they introduced in Vista, which was in Linux for years before, is the panacea of security.

        Lets just say any part of the OS including software, text rendering, drivers anything that require admin privileges to work properly means that limited privilege only mitigates. Just look at your Windows security patches, exploits with text rending, exploits with the kernals, etc etc those type of exploits many times would fly by any UAC setting.

      2. anon said on March 21, 2016 at 4:33 pm

        >and it wouldn’t have matter if it was on max level, the exploits would have bypassed UAC at any settings
        That’s not how it works. Perhaps there’s some exploit I’m unaware of but most of the exploits would simply fail due to Windows calling the Consent UI or Credentials UI in the secure desktop to request the user to grant or deny privilege elevation for the process.

  5. Ben said on March 21, 2016 at 3:04 am

    And why is Mozilla not participating?

  6. Idiot said on March 20, 2016 at 10:38 pm

    It looks like Firefox is so vulnerable it is too easy to hack.

    1. Jason said on March 21, 2016 at 3:36 am

      I suspect these hacking attempts were just with unmodified “vanilla” browsers. Frankly, no browser is good enough in a vanilla state to be trusted. But add NoScript to Firefox and suddenly you’ve got some very powerful security.

      1. Pants said on March 21, 2016 at 4:52 am

        It’s part of the rules – default configs ( )
        “The targets will be running on the latest, fully patched version of the operating system available on the selected target (Microsoft Windows 10 x64, Mac OS X El Capitan). All targets will be 64-bit, if available, and installed in their default configurations.”

        I also think the reason FF wasn’t considered (too easy?) is it’s not e10s (yet)

  7. Guest7 said on March 20, 2016 at 8:58 pm

    Firefox should see a significant security boost when they switch to the Rust language, as Rust is inherently more secure than what Firefox is currently based on (I assume C++)

  8. Jojo said on March 20, 2016 at 7:54 pm

    It will be good when computers start writing code on their own in place of human code writers. Then we should have less security holes. Time to shape up humans!

    1. Gary D said on March 20, 2016 at 8:43 pm


      Watch out for the Terminator if we don’t shape up :))

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.