Chinese Security Researchers Hack Microsoft’s Much Vaunted Windows 10 Edge Browser in 18 Seconds
Gone in 18 seconds!!! The much vaunted Microsoft’s Edge browser that it ships with Windows 10 OS was hacked in just 18 seconds. This feat was achieved at the PwnFest being held in Seoul.
On Thursday during the PwnFest 2016 event within Seoul’s Power of Community security conference, a team from vulnerability firm Qihoo 360 and South Korean security researcher JungHoon “Lokihardt” Lee demonstrated two different hacks that took advantage of vulnerabilities within Microsoft Edge, completing one in a mere 18 seconds.
The researchers used the Edge internet browser running on a 64-bit version of Windows 10 Anniversary Edition (aka Redstone 1), to remotely execute code at the system level. For this effort, the Qihoo Team and Lokihardt won $140,000 from the organizers.
The team discovered vulnerabilities in the Windows 10 browser enabled system-level remote code execution. To better understand system-level access, you have to look at how device operating systems are layered in a security sense. At the top layer, consumers will see the applications they normally use. Under that are device drivers with low privileges followed by device drivers with high privileges further underneath. The final, bottom layer consists of the operating system’s central core, aka the kernel, that controls everything. Running a malicious program below the “user” layer grants a hacker special privileges that can go undetected by the device owner.
The Qihoo 360 team was working on developing the attack for the past 6 months. However, the team had to revise the code within 30 hours prior to the Pwn fest as Microsoft patched 3 out of 4 vulnerabilities available for attack.
The event also witnessed the world’s first attacks on VMware Workstation 12.5.1, thanks to another Qihoo 360 team and Lee who won $150,000 for the exploits.