Microsoft Edge: Most Hacked Browser At Pwn2Own 2017

[Lucian Armasu]

Microsoft's Edge browser was the most successfully hacked at this year's Pwn2Own hacking contest, with researchers achieving five attacks against it. Safari was a close second in being most hacked, while Chrome remained the most secure browser.

Microsoft Edge: Most Hacked Browser At Pwn2Own 2017 : Read more

 

[Guest]

So much of Windows 10 being the most secured OS. You people should stop believing Microsoft bullcrap.

 

[Jeff Fx]

MS forced me to unpin Edge from my task bar. Recently Edge started popping up an ad every time I ran Chrome, to tell me Edge is faster. My OS should not be trying to use it's position to sell me on using MS junk instead of more secure tools. I thought this sort of thing was illegal.

 

[falchard]

Much better to attempt hacks on Microsoft. Finding an exploit pays better.

 

[shrapnel_indie]

Microsoft created the Edge browser by rewriting most of it from scratch (some parts were forked from Internet Explorer).

TBH: we only have their word on that. There is always the possibility that much-much-more was forked into Edge from IE than they told the public.

Surprised with as much data mining Google does, that Chrome is showing as so secure.

Win10 vulnerabilities: Not so surprising, especially in light of their own personal data mining.

Win10 has the potential to be really good... MS just has to refocus on true security on ALL levels and stop poking their nose into the business of its users.

 

[alextheblue]

Surprised with as much data mining Google does, that Chrome is showing as so secure.

Win10 vulnerabilities: Not so surprising, especially in light of their own personal data mining.

Internal data mining does not mean the program is inherently less secure. As for Windows itself, it's a lot harder to secure a long-standing full fledged OS with wide-ranging software/hardware compatibility. That's not to say they should ever stop shelling out money for vulnerability bounties, and they need to continue fixing them to the best of their abilities. But comparing a browser to an full-blown OS is silly. I mean even Android has vulnerabilities and it is a lot less complex than Windows. Windows 7 has vulnerabilities too. MS probably isn't quite as interested in paying people to scrutinize it though, compared to 10.

As for Edge, it needs a lot of work. Even so it has come a long way in a relatively short period of time. I'd say overall it's actually not bad for a stock browser. But this definitely shows they need to prioritize security in the coming year. Kudos to the security researchers for making everyone safer, and making some cash in the process.

 

[shrapnel_indie]

Surprised with as much data mining Google does, that Chrome is showing as so secure.

Win10 vulnerabilities: Not so surprising, especially in light of their own personal data mining.

Internal data mining does not mean the program is inherently less secure. As for Windows itself, it's a lot harder to secure a long-standing full fledged OS with wide-ranging software/hardware compatibility. That's not to say they should ever stop shelling out money for vulnerability bounties, and they need to continue fixing them to the best of their abilities. But comparing a browser to an full-blown OS is silly. I mean even Android has vulnerabilities and it is a lot less complex than Windows. Windows 7 has vulnerabilities too. MS probably isn't quite as interested in paying people to scrutinize it though, compared to 10.

As for Edge, it needs a lot of work. Even so it has come a long way in a relatively short period of time. I'd say overall it's actually not bad for a stock browser. But this definitely shows they need to prioritize security in the coming year. Kudos to the security researchers for making everyone safer, and making some cash in the process.

I probably should have probably made it clearer that this was in no way a comparison of browser vs OS. I do understand that an OS is far more complex than a browser... unfortunately, the way Microsoft embedded the browser into the OS in the past doesn't do much either in keeping the two distinct entities, which doesn't help matters.

While internal data mining doesn't mean the program or OS is less secure, it does provide paths that absolutely must be fortified against misuse and attack. I understand that everything has vulnerabilities, in which the only greatest safeguard is to never power them on... which is quite silly too as you'd never benefit from their usage. It matters not if it''s an IoT device, an OS (no matter age, usage numbers, or vendor,) or any other app or piece of data.

You are correct though about the need to prioritize security... but I would hope the benefits of such prioritization would be felt much much sooner than next year or the next contest.

 

[Dosflores]

There's something I don't like about Pwn2Own: teams are allowed to target any browser. I think it would be more interesting if you could only attack a given browser each day. Otherwise, it makes sense for teams to target the weakest browsers, which obviously means Edge and Safari, because their update processes are merged with their respective OS updates. And after the Microsoft February updates fiasco, it would have been silly not trying to obliterate Edge.

So, yeah, we know Edge and Safari have lots of vulnerabilities, but we can't be sure Chrome and Firefox don't have their share.

 

[Stubbies]

And Microsoft thinks I'm crazy for still running Windows 7 with Chrome....

 

[buscseik]

I agree that, this competition should be managed different way like it was mentioned previously. E.g.: Teams have 1 day for each browser...
You can say harder to hack Chrome, but in other hand Google collect information about you every second, and nobody thinks that is a security issue . If someone else collect information about you, than it is a security issue.

Just a simple example: Everyone agree that private mailing is one of the number one privacy object. Possibly all of you noticed your android phone will notice you about upcoming travel.
Have you been every thinking about it how your phone knows about your upcoming travel? If a bot reading your email for this information at Google, what is the guarantee there is no other bot at Google that reading your email for other private information about you?

 

[buscseik]

I agree that, this competition should be managed different way like it was mentioned previously. E.g.: Teams have 1 day for each browser...
You can say harder to hack Chrome, but in other hand Google collect information about you every second, and nobody thinks that is a security issue . If someone else collect information about you, than it is a security issue.

Just a simple example: Everyone agree that private mailing is one of the number one privacy object. Possibly all of you noticed your android phone will notice you about upcoming travel.
Have you been every thinking about it how your phone knows about your upcoming travel? If a bot reading your email for this information at Google, what is the guarantee there is no other bot at Google that reading your email for other private information about you?

 

[cwolf78]

"what is the guarantee there is no other bot at Google that reading your email for other private information about you?"

Um, actually there is a guarantee that there IS. Per their ToS they have an automated reader that scrapes the content of your e-mails to display "relevant" ads. I think pretty much every Google product has this "feature." They are an advertising company giving away "free" products after all.

No that I'm complaining as I find their products extremely useful and robust. I haven't had the Feds knocking on my door or have been the victim of gang stalking because I use Google products.

 

[buscseik]

Yep, obviously that is a feature from one viewpoint(but from other, that is something that read and analyze your emails). The only question how do you name this.


I am afraid you are biased about Google. If you will try to live without Google, than you will see have no choice. You can agree with Google term and conditions or you can agree, no third option.


Just think about it, If I do not agree with Google T&C and won't accept that they can collect information about me. What will happen if I visit a third party page that has Google plugin? It will collect information about me or not?


The fact is Google tracking every people.