On day three of the Pwn2Own 2017 hacking contest held in Vancouver on Friday, a guest at system Windows installed on VMware Workstation managed to "escape" twice.
Her Chinese team companyς ασφαλείας Qihoo 360 ξεκίνησε αξιοποιώντας ευπάθειες στον Edge browser της Microsoft που της επέτρεψαν να “φύγει” από την εικονική μηχανή VMware, και να φτάσει στο κυρίως σύστημα. Η ομάδα από τη συγκεκριμένη επίθεση κατάφερε να κερδίσει ένα έπαθλο των 105.000 δολαρίων.
The second VMware Workstation breakout was done by the Tencent Security team, who won $100.000 for presentation of a Windows kernel use-after-free vulnerability combined with a “Workstation infoleak and an uninitialized buffer in Workstation to go guest-to-host.”
Both teams were able to escape virtual machines and were found to be the first and second respectively in the ranking of the competition.
In the previous days of Pwn2Own 2017, which we have described in an earlier publication, Flash, Windows Kernel, Microsoft Edge, MacOS Kernel, Firefox and Apple's Safari were violated (again).
To mention that in October, Microsoft said that it was aware of the four zero-day vulnerabilities that exist in Edge, the Office, and Internet Explorer.