Tianfu Cup PWN 2019 - China's top white-hat hackers have gathered at Hacking Contest

Discussion in 'other security issues & news' started by mood, Nov 17, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    32,009
    Chrome, Edge, Safari hacked at elite Chinese hacking contest
    November 17, 2019
    https://www.zdnet.com/article/chrome-edge-safari-hacked-at-elite-chinese-hacking-contest/
    Of the successful sessions, Tianfu Cup organizers reported successful hacks of:
    • (3 successful exploits) Microsoft Edge (the old version based on the EdgeHTML engine, not the new Chromium version) [tweet]
    • (2) Chrome hacks [tweet]
    • (1) Safari [tweet]
    • (1) Office 365 [tweet, tweet]
    • (2) Adobe PDF Reader [tweet]
    • (3) D-Link DIR-878 router [tweet]
    • (1) qemu-kvm + Ubuntu [tweet, tweet]
    The seven successful exploits targeted:
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    32,009
    Zero-Day Exploits Earn Hackers Over $500K at Chinese Competition
    November 18, 2019
    https://www.securityweek.com/zero-day-exploits-earn-hackers-over-500k-chinese-competition
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,908
    Location:
    The Netherlands
    LOL, they could even hack Chrome and I assume they could escape the sandbox. I bet those guys who told that you didn't need Sandboxie to protect Chrome feel real dumb now.
     
  4. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,194
    If Chrome couldn't be hacked, then there probably wouldn't be any point to report security vulnerabilities and update the browser.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,843
    Location:
    Canada
    Where are the details of how they succeeded with the exploit on Chrome? Are you sure Sandboxie is needed to protect Chrome? That’s a rather bold assertion you make.
     
    Last edited: Nov 27, 2019
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,908
    Location:
    The Netherlands
    No it's not about that. As I have said numerous of times, you can also use tools like AV and AE to protect the browsers. But I remember that a lot of people believe that you don't need Sandboxie anymore because browsers like Chrome, Edge and Firefox have their own sandboxes. I believe this isn't true. And I'm not sure if these Chinese hackers used kernel exploits or not, but in theory you can break out of the sandbox without them.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,843
    Location:
    Canada
    Right, and I was one of those who believe using Sandboxie with Chrome or any Chrome-based browser is unnecessary, although I didn't state the same with Firefox. But I also did not say that the Chrome sandbox alone will provide absolute security. The trouble with Sandboxie, as well as Chrome and Chrome-based browsers, is it harnesses usermode hooks, so this type of secuirty provides, as I read recently in a technical article somewhere, only a partial fence running the perimeter of the yard, so the dog could still find a way to escape. Their sandboxes are very good, but they don't provide the same level of security that kernel mode security can provide, which is why augmenting with one of or a combination of AV, behavior blocker, HIPS, anti-executable, SRP, Applocker, script blocking extension, ...etc, is probably a good idea. I suppose Sandboxie could be another way too, but look at what's happening for quite some time now where with every major Windows update, something in Sandboxie seems to break, and based on several posts in these forums, a lot of people are having issues using Sandboxie with Chrome, so that compounds the problems.
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    32,009
    VMware Patches ESXi Vulnerability That Earned Hacker $200,000
    December 6, 2019
    https://www.securityweek.com/vmware-patches-esxi-vulnerability-earned-hacker-200000
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,908
    Location:
    The Netherlands
    It's purely a technical discussion. If you use anti-exploit software then of course you don't need necessarily need a tool like Sandboxie. But it's a fact that if Chrome or Firefox get hacked, Sandboxie running on top might still be able to contain the malware, because of its virtualization capabilities. It virtualizes the file system, registry and interprocess communications. So a bypass of the Chrome or Firefox sandbox, isn't automatically a bypass of Sandboxie. You need to find specific holes in Sandboxie in orde to bypass it.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,908
    Location:
    The Netherlands
    That's another discussion of course. We all know that future development of Sandboxie is uncertain. But to be honest, I never had any problems lately. I didn't even have to update Sandboxie and newer versions of Vivaldi kept working. But I'm still using Win 8.1, this probably also plays a role.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.