Virtual machine escape fetches $105,000 at Pwn2Own hacking contest

Contestants at this year’s Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: They compromised Microsoft’s heavily fortified Edge browser in a way that escapes a VMware virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days.


According to a Friday morning tweet from the contest’s organizers, members of Qihoo 360’s security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel, and an uninitialized buffer vulnerability in VMware, contest organizers. The result was a “complete virtual machine escape.”


Virtual machines are vital to the security of individuals and large organizations everywhere. In server hosting environments, they’re used as a container that prevents one customer’s data and operating system from being accessed by other customers sharing the same physical server. Virtual machines are also used on desktop computers to isolate untrusted content. Should the guest operating system be compromised through a drive-by browsing exploit or similar attack, the hackers still don’t get access to data or operating system resources on the host machine.


Read 6 remaining paragraphs | Comments

View article…