Pwn2Own is an annual hacking contest where security teams get together and attempt to break into popular web browsers and operating systems. It is organized by Trend Micro’s Zero Day Initiative group, and aims to mimic a real-world zero-day market by offering cash prizes for hacks that successfully hijack PCs running fully patched versions of applications and other software.
Unfortunately for Microsoft Edge, it came away from the contest in a less than flattering light, having been successfully hacked the most times. Edge was hacked a total of five times, compared to three and a half breaches for Safari, one for Firefox, and zero for Chrome.
Chrome was the most secure browser last year as well, with only a partial successful hack.
To be sure, there was only one attempt to hack Chrome this year, which failed in the allotted time. In comparison, Edge had to fend off multiple attempts throughout the three-day contest. But while it’s possible that Chrome may have fared worse had more teams attacked it, or if they had been given more time, the fact remains that Edge isn’t as secure as Microsoft makes it out to be.
Microsoft built Edge as a worthy competitor to Chrome and Firefox that would support the latest web standards and offer better security than Internet Explorer. It even features sandboxing technologies similar to those used in Chrome, which technically gives it an edge (no pun intended) over Firefox.
This is particularly serious because the whole point of running a virtual machine is to sandbox an environment and make the host machine more secure. This exploit fetched the team a nice US$105,000 in prize money. Overall, Edge was also responsible for the most prize money being awarded.
Pwn2Own does not require every browser to be attacked an equal number of times, so that again raises questions of fairness. Nevertheless, a hack is a hack, and the results show that Microsoft still has work to do to make Edge more secure if it wants to become one of the leading browsers.