
The Resuts – Pwn2Own 2017 Day Three - sharjeelsayed
https://www.zerodayinitiative.com/blog/2017/3/17/the-results-pwn2own-2017-day-three
======
qb45
I'm used to seeing browsers and kernels pwned left and right, but multiple
VMWare escapes? Is this how all VMs are nowadays or just something wrong with
VMWare in particular?

~~~
walterbell
It would be interesting to compare the number of VMware escapes, before and
after the entire US development team was laid off and replaced with a
maintenance team (in China?).

[https://www.theregister.co.uk/2016/01/27/vmware_fusion_and_w...](https://www.theregister.co.uk/2016/01/27/vmware_fusion_and_workstation_development_team_fired/)

~~~
daeken
Interesting perhaps, but useless. The number of successful attacks we see on a
product is an equation taking in the number of interested parties, the amount
of collective experience (in the product) those parties are able to draw from,
and the relative reward that the attack can give you.

Assuming that the reward doesn't drop (and it certainly hasn't -- that's gone
up every year as VMs have become more and more critical), the collective
knowledge keeps growing and thus this will always trend towards more attacks,
not fewer.

~~~
walterbell
The layoffs were only a year ago and the product itself was in a mature/stable
market, which was one reason for the layoffs. Pre-layoff, VMware's desktop
hypervisor had existed and been attacked for more than a decade. Other
complications are a shrinking PC market and new versions of Windows.

------
israrkhan
It is disappointing to see that no matter, how many exploit mitigation and
sand-boxing techniques are used, Edge+Windows is still an exploitable
combination (multiple exploits targeted this successfully). I am a bit
disappointed to see this since it was a new browser from ground up, and they
could have gotten things right. But then browsers and operating systems are
big attack surface and it is difficult to get everything right. That is where
exploit mitigation techniques come into play. Apparently they also do not
offer much.

Secondly, it is interesting to see that all (except one) security teams, that
won the contest, were Chinese teams. I am surprised at the absence of
US/Russian/EU hackers. Perhaps they are selling their exploits at much larger
premium in black market, to NSA et all.

~~~
shakna
> I am a bit disappointed to see this since it was a new browser from ground
> up

It's really not. The browser does have some new innovations... But it isn't
something new from the ground up.

EdgeHTML is a fork of Trident. They dropped legacy code, and fixed a ton of
things... But still a fork. In fact, EdgeHTML was available as an experimental
feature in IE11.

Chakra is a fork of the JavaScript engine that was running in IE.

Edge is nowhere near a brand new browser. But it does look like they're on the
way to get IE right under the new name. (Though security still needs some more
work, apparently.)

------
api
Every single bug I saw here could have been prevented if systems were coded in
a safer language than C.

~~~
bobsam
I hear this so often... Do you think these would ever been written if the devs
had to fight the borrow checker all they long?

~~~
nickpsecurity
I think more complex stuff might be written under those circumstances:

[https://www.redox-os.org/](https://www.redox-os.org/)

Or they could give up to do a better architecture instead for damage
containment with interface checks on potentially-malicious input:

[http://hypervisor.org/](http://hypervisor.org/)

[https://genode.org/about/index](https://genode.org/about/index)

[http://www.perseus-os.org/content/pages/Architecture.htm](http://www.perseus-
os.org/content/pages/Architecture.htm)

Such architectures have been commercially deployed in embedded, mobile, and
desktops for quite a while. Earliest one I remember still supported was about
2005 for x86 desktops. All by companies or CompSci groups _much_ smaller than
VMware in labor and budget simply applying methods that worked in the past in
high-assurance security. Cutting assurance down where complexity or budget
demanded but _only_ where it was necessary. These big, mainstream companies
cut it _way_ down for reasons of _profit maximization_ of existing market
share. Then they end up at Pwn2Own or their customers on breach lists.

