Interesting, so they could only bypass Chrome by exploiting Flash, and they also didn't use any zero days. http://community.hpe.com/t5/Security-Research/Pwn2Own-2016-Closing-out-the-first-day/ba-p/6842359
Yeah, it looks like once again Adobe Flash gleefully opens its wonky screen doors for hackers to gain access to system privileges and such. Flash has become a certifiable security joke.
And they weren't able to hack Chrome on day two, proving it's one of the mosts secure browsers. Microsoft Edge was hacked with a browser + kernel exploit. This also proofs that kernel exploits are crucial to hackers. So it's getting quite hard to hack browsers that run in a sandbox. http://community.hpe.com/t5/Securit...y-two-crowning-the-Master-of-Pwn/ba-p/6842863
Good to see Chrome could withstand these latest hacking attempts against it, especially given the impressive skill level of these hackers. Even Edge required a kernel exploit, as you alluded to, for it to be hacked. Hopefully more time and effort can be directed toward the kernel, even linux', to secure it better.
The other good news was that they weren't able to hack VMware Workstation, so they couldn't break out of a virtual machine.
Here’s the full breakdown for the 21 vulnerabilities: Microsoft Windows: 6 Apple OS X: 5 Adobe Flash: 4 Apple Safari: 3 Microsoft Edge: 2 Google Chrome: 1 (duplicate of an independently reported vulnerability) -http://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/
Google Chrome on Linux x64 should be the most secure browser (hopefully), which is what I am using now. No Edge and Windows, no Mozilla Firefox, certainly no safari.
Using it on Linux as well. Notice the hackers don't even attempt to hack it on Linux, probably feeling it's a lost cause. The seccomp-bpf sandbox is a fortress. They don't probe at Sandboxie, either. Maybe too much time and effort to hack?
Guess so. I basically ditched all my Windows 10 OS on all my home computers, installed Ubuntu 14.04.4, and made a offline Windows 7 VM just for MS Office, Adobe PS/Acrobat etc.
Probably, because you first need to gain remote code execution via the browser, and after that you need to elevate privileges plus disable SBIE's protection. So for sure they would need to use a kernel bug.