Pwn2Own 2017: Windows, Ubuntu, Edge, Safari, Firefox exploited

The tenth anniversary of the Pwn2Own gathering of hackers, Pwn2Own 2017, saw eleven teams attempt to exploit products across four categories.

The products that teams were allowed to target this year included operating systems and web browsers, but also the new product categories Enterprise applications and server-side.

Programs like Adobe Reader, and Apache Web Server, were added as targets by the Pwn2Own committee.

The first two days of the conference have passed already, and they saw successful, unsuccessful, and withdrawn exploit attempts.

On day one, teams managed to successfully exploit Adobe Reader (twice), Apple Safari (twice), Microsoft Edge, and Ubuntu Desktop. Attacks against Google Chrome and Microsoft Windows failed.

Additional attacks against Edge and Safari failed or were withdrawn however.

pwn2own 2017

On day two, teams exploited Adobe Flash (twice), Microsoft Edge (twice), Apple Safari, Mac OS X, Mozilla Firefox, Apple Safari and Windows successfully.



Other attacks against Firefox, Windows, Microsoft Edge, Apple Mac OS X, failed, where withdrawn, or disqualified.

Day three will see three additional attempts being made against the following targets: Microsoft Edge (twice), and VMWare Workstation. We will update the article once the results are published.

Update: Microsoft Edge was attacked successfully twice, and the guest to host attack against VMWare Workstation succeeded as well.

Analysis

Three of the four product categories of the Pwn2Own 2017 gathering are interesting to computer users.

On the operating system side, Windows, Mac OS X and Ubuntu Desktop were exploited successfully.

On the browser side, Microsoft Edge, Firefox, and Safari were exploited successfully. The one attack attempt against Chrome failed, and a second attack against Firefox failed as well. Both Edge and Safari were exploited multiple times.

Read also:  Are you identifiable by extensions, logins and your browser?

On the application side, Adobe's Flash Player and Reader products were exploited successfully multiple times.

It is surprising that the most secure browser, according to Microsoft, was exploited successfully several times.

As far as browsers go, Chrome was the only browser not exploited successfully. Please note that Chromium-based browsers like Vivaldi or Opera were not part of the product range that teams could attack this year.

Companies with successfully exploited products are usually fast when it comes to releasing security updates for their products. It is likely that this trend will continue this year, so expect updates soon for affected products.

Last year's Pwn2Own saw successful exploits of Windows, Apple OS X, Safari, Edge, Chrome and Adobe Flash.

Videos

You can check out videos of the results of the first day below. If additional videos are posted, we will add them to the article as well.

Additional information on this year's Pwn2Own event is available on the TrendMicro Zero Day Initiative blog.

Summary
Article Name
Pwn2Own 2017: Windows, Ubuntu, Edge, Safari, Firefox exploited
Description
The tenth anniversary of the Pwn2Own gathering of hackers, Pwn2Own 2017, saw eleven teams attempt to exploit products across four categories.
Author
Publisher
Ghacks Technology News
Logo

Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Pwn2Own 2017: Windows, Ubuntu, Edge, Safari, Firefox exploited

  1. ShintoPlasm March 17, 2017 at 10:17 am #

    It's because they didn't use WebExtensions on Fx!

    /snarky

  2. CHEF-KOCH March 17, 2017 at 4:48 pm #

    Same like last year.

    /lol

  3. Matt March 17, 2017 at 6:31 pm #

    Just interested as to why OSX isn't listed in the headline - Conspiracy theory time :)

  4. All Things Firefox March 17, 2017 at 8:10 pm #

    "It is surprising that the most secure browser, according to Microsoft, was exploited successfully several times."
    Microsoft's claim doesn't apply here. Microsoft was talking about social engineering, not code exploits.
    I wouldn't compare product security based on these competitions. If something isn't exploited here, it just means that those eleven teams couldn't hack it.

  5. Fx0 March 18, 2017 at 9:20 am #

    @ShintoPlasm: you're really a funny kid.

    (the reply function didn't work.)

  6. Daniel Veditz March 18, 2017 at 6:12 pm #

    Firefox was updated with a fix 22 hours after the exploit was demonstrated. The exploit consisted of a Firefox vulnerability paired with a Windows vulnerability used to escape the Firefox sandbox.

  7. ShintoPlasm March 18, 2017 at 8:35 pm #

    @Fx0: Oh come come, with all of Mozilla's shenanigans I'm allowed some sarcasm... :)

Leave a Reply