Most secure os 2017
With three and a half success attacks against it, Safari didn’t fare so well in the Pwn2Own contest, but it still did better than Edge.įirefox was back at this year’s Pwn2Own after missing last year, seemingly because the browser would’ve been too easy to hack. Team Sniper and 360 Security successfully hacked Safari on the second day, each earning $35,000. Richard Zhu failed to complete an attack against Safari in the allotted amount of time, on the first day of the contest. However, it was awarded only a partial prize ($28,000) because the UAF bug had already been fixed in the beta version of Safari.Īnother team of researchers from the Chaitin Security Research Lab used six different bugs to successfully attack Apple’s browser and gain root access on macOS. The first attack against Safari used three logic bugs in the browser and a null pointer dereference to elevate privileges in macOS.
#Most secure os 2017 windows
The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs-one in Edge and one in a Windows kernel buffer overflow-to complete the hack. This impressive chained-exploit gained the 360 Security team $105,000. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from “360 Security.” The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. However, Team Lance (Tencent Security) successfully exploited Microsoft’s browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. Two other teams withdrew their entries against Edge. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. However, one was disqualified for using a vulnerability that was disclosed the previous day. On the second day, the Edge browser was attacked fast and furious by multiple teams.