Pwn2Own 2017: Windows, Ubuntu, Edge, Safari, Firefox exploited

The tenth anniversary of the Pwn2Own gathering of hackers, Pwn2Own 2017, saw eleven teams attempt to exploit products across four categories.

The products that teams were allowed to target this year included operating systems and web browsers, but also the new product categories Enterprise applications and server-side.

Programs like Adobe Reader, and Apache Web Server, were added as targets by the Pwn2Own committee.

The first two days of the conference have passed already, and they saw successful, unsuccessful, and withdrawn exploit attempts.

On day one, teams managed to successfully exploit Adobe Reader (twice), Apple Safari (twice), Microsoft Edge, and Ubuntu Desktop. Attacks against Google Chrome and Microsoft Windows failed.

Additional attacks against Edge and Safari failed or were withdrawn however.

On day two, teams exploited Adobe Flash (twice), Microsoft Edge (twice), Apple Safari, Mac OS X, Mozilla Firefox, Apple Safari and Windows successfully.

Other attacks against Firefox, Windows, Microsoft Edge, Apple Mac OS X, failed, where withdrawn, or disqualified.

Day three will see three additional attempts being made against the following targets: Microsoft Edge (twice), and VMWare Workstation. We will update the article once the results are published.

Update: Microsoft Edge was attacked successfully twice, and the guest to host attack against VMWare Workstation succeeded as well.

Analysis

Three of the four product categories of the Pwn2Own 2017 gathering are interesting to computer users.

On the operating system side, Windows, Mac OS X and Ubuntu Desktop were exploited successfully.

On the browser side, Microsoft Edge, Firefox, and Safari were exploited successfully. The one attack attempt against Chrome failed, and a second attack against Firefox failed as well. Both Edge and Safari were exploited multiple times.

On the application side, Adobe's Flash Player and Reader products were exploited successfully multiple times.

It is surprising that the most secure browser, according to Microsoft, was exploited successfully several times.

As far as browsers go, Chrome was the only browser not exploited successfully. Please note that Chromium-based browsers like Vivaldi or Opera were not part of the product range that teams could attack this year.

Companies with successfully exploited products are usually fast when it comes to releasing security updates for their products. It is likely that this trend will continue this year, so expect updates soon for affected products.

Last year's Pwn2Own saw successful exploits of Windows, Apple OS X, Safari, Edge, Chrome and Adobe Flash.

Videos

You can check out videos of the results of the first day below. If additional videos are posted, we will add them to the article as well.

Additional information on this year's Pwn2Own event is available on the TrendMicro Zero Day Initiative blog.