Pwn2Own 2016: Windows Most Hacked, Edge Holds Its Own, Firefox Missing In Action

At this year’s Pwn2Own hacking contest, no target escaped unscathed. The hacking teams found 21 vulnerabilities in Windows, Mac OS X, Flash, Safari, Edge and Chrome, for which they were awarded a total of $460,000.

The two main sponsors of the event were Hewlett Packard Enterprise and Trend Micro. HPE will be selling the TippingPoint security division to Trend Micro for $300 million, which is why Trend Micro will remain the main sponsor in the future, but this year the two companies collaborated.

Windows Still Easiest to Hack

Although it’s not fair to compare an operating system to a browser in terms of how many vulnerabilities each has, because an operating system has a much larger attack surface, those vulnerabilities can be used to attack the browsers. This is why the Pwn2Own browser hacking contest allows operating system attacks, as well.

The hackers found six vulnerabilities in Windows 10 - the most found for a single target at the competition. However, Apple’s Mac OS X wasn’t too far behind, as they found five vulnerabilities in it.

Edge, Safari Successfully Attacked

Safari was attacked three times, and all were successful. Microsoft’s new Edge browser proved more difficult to attack compared to Microsoft’s previous browsers, but it was still successfully attacked on both attempts.

With Edge, Microsoft ditched most of the legacy code found in Internet Explorer, so it should be expected that it’s more secure. However, it also looks like the hackers may have not focused as much on it, possibly because they believed that it would be hard to break. We’re going to have to see if Edge can be consistently more secure than most other browsers at the next Pwn2Own competitions.

Chrome Still Security King

Chrome was built with security in mind from day one, and over the years it has proven to be the overall most secure browser. The sandboxing system, which has often been criticized for using too much memory, the large development team, and most of the browser being open source have all played a role in strengthening Chrome’s security.

The hackers attacked Chrome twice. One attack failed, and the other was deemed a partial success. The vulnerability had already been independently disclosed to Google, and the point of Pwn2Own is for software vendors to discover zero-day vulnerabilities.

Where’s Firefox?

At this year’s Pwn2Own, we noticed that Firefox was missing. Apparently, the sponsors thought Firefox was too easy of a target, and it hasn’t added major security improvements over the past year.

Firefox was supposed to add the ever-delayed Electrolysis partial-sandboxing architecture to Firefox 43, but then it was delayed until version 45. However, we’re now at Firefox 45, and Electrolysis is still not enabled by default in the browser. Firefox remains one of the last major browsers not to have a sandboxing system, which exposes it to more security vulnerabilities compared to its competitors.

However, even when Firefox finally adopts Electrolysis by default, it won’t be a full sandbox for each tab as we see in Chrome or Edge, but only a partial one. It will enable a single “content process” (with content from all tabs) to be isolated from the rest of the browser. This sandboxing system is now expected to arrive sometime in the middle of the year.

The biggest hurdle in adopting a full sandboxing system for Firefox is the old add-on model. Until most Firefox add-ons have been converted to Chrome-like extensions, Firefox will likely not get a full sandboxing architecture.

This is as much Mozilla’s fault for not pushing for a more modern architecture more aggressively as it is Firefox users’ fault who don’t want to compromise on the add-on functionality for better security. As long as there's strong backlash against any major change that breaks the old add-on models, Firefox will likely remain one of the least secure browsers out there.

That’s why Mozilla’s best bet is probably to launch a new browser, written from scratch in Rust, the memory-safe language Mozilla created. The new browser would have the benefit of starting things over in a much more secure way, without worrying about legacy code and architectures. It would eliminate entire classes of vulnerabilities such as buffer overflows, and it would also be much faster due to the language’s multi-core optimizations.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • wheredahoodat
    So the lesson of the story is if you are a spook, work with sensitive info for the government or private company, a dissident you should use Chrome. Preferably with a up to date Linux distro b/c if those jokers have zero days, then you can be sure the NSA, FSB, Chicoms have their own lined up if you interest them enough.
    Reply
  • tntom
    It is sad to see the fall of Firefox... but it is time to move on from Netscape.
    Reply
  • alextheblue
    So the lesson of the story is if you are a spook, work with sensitive info for the government or private company, a dissident you should use Chrome. Preferably with a up to date Linux distro b/c if those jokers have zero days, then you can be sure the NSA, FSB, Chicoms have their own lined up if you interest them enough.

    I thnk the real lesson is to enable better security regardless of what OS and browser you choose to use. That's the point HPE and Trend Micro are trying to get across. You can use almost anything as long as you secure it better than it comes bone-stock default.
    Reply
  • joshyboy82
    Using Chrome as a security bet? Seems like a joke. Yeah a hacker doesn't have your information, but you're using chrome, so ever company that ever tried to sell anything, ever, does. Buy new dishwasher detergent, you're low.
    Reply
  • wheredahoodat
    I thnk the real lesson is to enable better security regardless of what OS and browser you choose to use. That's the point HPE and Trend Micro are trying to get across. You can use almost anything as long as you secure it better than it comes bone-stock default.
    Using Chrome as a security bet? Seems like a joke. Yeah a hacker doesn't have your information, but you're using chrome, so ever company that ever tried to sell anything, ever, does. Buy new dishwasher detergent, you're low.
    P

    Pssh, at least make the insult plausible or grounded in some reality, you thought of dishwater detergent? What are you 60 years old, "ohhh...people these days use that tobacco smoke with the 7 leaves" LOL
    Reply
  • mcdudeman
    I remember an article outlining that Chrome was the riskiest browser to use, and that IE was the safest, due to the SmartScreen filter and reports, while Chrome is known for automatic downloads and adware extensions (I have had a number of adware extensions sneak into Chrome through normal use... I am also not alone, I have had to remove adware for a friend and for a family member, both of whom also used Chrome)
    Reply
  • mcdudeman
    Oh yeah, the assessment was done by a company called NSS Labs.
    Reply