Pwn2Own 2017: Windows, Ubuntu, Edge, Safari, Firefox exploited

Martin Brinkmann
Mar 17, 2017
Updated • May 22, 2018
Security
|
7

The tenth anniversary of the Pwn2Own gathering of hackers, Pwn2Own 2017, saw eleven teams attempt to exploit products across four categories.

The products that teams were allowed to target this year included operating systems and web browsers, but also the new product categories Enterprise applications and server-side.

Programs like Adobe Reader, and Apache Web Server, were added as targets by the Pwn2Own committee.

The first two days of the conference have passed already, and they saw successful, unsuccessful, and withdrawn exploit attempts.

On day one, teams managed to successfully exploit Adobe Reader (twice), Apple Safari (twice), Microsoft Edge, and Ubuntu Desktop. Attacks against Google Chrome and Microsoft Windows failed.

Additional attacks against Edge and Safari failed or were withdrawn however.

On day two, teams exploited Adobe Flash (twice), Microsoft Edge (twice), Apple Safari, Mac OS X, Mozilla Firefox, Apple Safari and Windows successfully.

Other attacks against Firefox, Windows, Microsoft Edge, Apple Mac OS X, failed, where withdrawn, or disqualified.

Day three will see three additional attempts being made against the following targets: Microsoft Edge (twice), and VMWare Workstation. We will update the article once the results are published.

Update: Microsoft Edge was attacked successfully twice, and the guest to host attack against VMWare Workstation succeeded as well.

Analysis

Three of the four product categories of the Pwn2Own 2017 gathering are interesting to computer users.

On the operating system side, Windows, Mac OS X and Ubuntu Desktop were exploited successfully.

On the browser side, Microsoft Edge, Firefox, and Safari were exploited successfully. The one attack attempt against Chrome failed, and a second attack against Firefox failed as well. Both Edge and Safari were exploited multiple times.

On the application side, Adobe's Flash Player and Reader products were exploited successfully multiple times.

It is surprising that the most secure browser, according to Microsoft, was exploited successfully several times.

As far as browsers go, Chrome was the only browser not exploited successfully. Please note that Chromium-based browsers like Vivaldi or Opera were not part of the product range that teams could attack this year.

Companies with successfully exploited products are usually fast when it comes to releasing security updates for their products. It is likely that this trend will continue this year, so expect updates soon for affected products.

Last year's Pwn2Own saw successful exploits of Windows, Apple OS X, Safari, Edge, Chrome and Adobe Flash.

Videos

You can check out videos of the results of the first day below. If additional videos are posted, we will add them to the article as well.

Additional information on this year's Pwn2Own event is available on the TrendMicro Zero Day Initiative blog.

Summary
Pwn2Own 2017: Windows, Ubuntu, Edge, Safari, Firefox exploited
Article Name
Pwn2Own 2017: Windows, Ubuntu, Edge, Safari, Firefox exploited
Description
The tenth anniversary of the Pwn2Own gathering of hackers, Pwn2Own 2017, saw eleven teams attempt to exploit products across four categories.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. ShintoPlasm said on March 18, 2017 at 8:35 pm
    Reply

    @Fx0: Oh come come, with all of Mozilla’s shenanigans I’m allowed some sarcasm… :)

  2. Daniel Veditz said on March 18, 2017 at 6:12 pm
    Reply

    Firefox was updated with a fix 22 hours after the exploit was demonstrated. The exploit consisted of a Firefox vulnerability paired with a Windows vulnerability used to escape the Firefox sandbox.

  3. Fx0 said on March 18, 2017 at 9:20 am
    Reply

    @ShintoPlasm: you’re really a funny kid.

    (the reply function didn’t work.)

  4. All Things Firefox said on March 17, 2017 at 8:10 pm
    Reply

    “It is surprising that the most secure browser, according to Microsoft, was exploited successfully several times.”
    Microsoft’s claim doesn’t apply here. Microsoft was talking about social engineering, not code exploits.
    I wouldn’t compare product security based on these competitions. If something isn’t exploited here, it just means that those eleven teams couldn’t hack it.

  5. Matt said on March 17, 2017 at 6:31 pm
    Reply

    Just interested as to why OSX isn’t listed in the headline – Conspiracy theory time :)

  6. CHEF-KOCH said on March 17, 2017 at 4:48 pm
    Reply

    Same like last year.

    /lol

  7. ShintoPlasm said on March 17, 2017 at 10:17 am
    Reply

    It’s because they didn’t use WebExtensions on Fx!

    /snarky

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.