The contestants at the Pwn2Own hacking competition in Vancouver this year have just pulled off an unusually impressive feat. They have managed to compromise Microsoft’s Edge browser in a specific way such that ti escapes a VMware Workstation virtual machine it is running in. This hack fetched them a prize of $105,000, which is the highest awarded so far in the past three days.
According to a tweet this Friday morning, from the contest’s organizers: the members of Qihoo 360’s security team have carried out a hack by exploiting heap overflow bug in Edge, a kind of confusion flaw in Windows kernel and an uninitialized buffer vulnerability in the VMware. The result is a “complete virtual machine escape.”
Virtual machines are very crucial to the security of large organisations and individuals everywhere. In server hosting environments, they are used as containers which prevent one customer’s operating system and data from being accessed by another customer who is sharing the same physical server. Virtual machines like the VMware Workstation hacked Friday are also used on desktop computers to isolate untrusted content. Should the guest operating system be compromised through a drive-by browsing exploit or similar attack, the hackers still don’t get access to data or operating system resources on the host machine.
Friday’s success underscores the central theme of Pwn2Own, that no operating system or application is immune to hacks that thoroughly compromise its security.