PwnFest fells first tech giants – Google Pixel, Adobe next in line
Power of Community Hackers have twice completely compromised Microsoft Edge operating on Windows 10 Red Stone 1 and for the first time twice broken VMWare Workstation without user interaction.
The bugs landed via SYSTEM-level remote code execution while the second VMware hacks could also be performed remotely.
The four hacks were demonstrated at the PwnFest 2016 event held at the Power of Community security conference in Seoul on Thursday, with details to be provided to vendors and kept under wraps.
It is a run of hacks against major platforms including the new Google Pixel running Android version 7 (Nougat), Adobe Flash via Microsoft Edge on Windows 10 Red Stone 1, and Apple Safari on MacOS Sierra.
Junghoon Lee, aka LokiHardt, shows his successful Edge exploit.
Darren Pauli / The Register.
A team at Beijing vulnerability firm Qihoo 360 successfully popped Edge on Windows 10, as did highly talented South Korean hacker Lokihardt, the latter’s exploit being successful after only 18 seconds.
Both earned $140,000 for gaining SYSTEM-level code execution on Windows Edge.
Another Qihoo hacker team and Lee both compromised VMware Workstation 12.5.1 in the world’s first attacks against the platform, bagging $150,000 for the exploits.
As both were by coincidence identical, Lee offered a second undisclosed bug to earn the cash reward.
The Qihoo team told Vulture South that it took six months from March to brew the trio of chained vulnerabilities including a possible use-after-free, confirmed out-of-boundary read, and out-of-boundary write exploits.
Qihoo had about 30 hours to rework their Edge bug after Microsoft squashed three of their four vulnerabilities in its Patch Tuesday run just before the event.
The Register will report on successful hacks throughout the two-day conference.
The hacking teams should be expected to succeed.
Darren Pauli travelled to Seoul as a guest of Power of Community.
Sponsored: Customer Identity and Access Management