Mozilla Firefox, Microsoft Edge succumb in web browser competition at Pwn2Own

The second day of Pwn2Own 2019 featured more successful attacks from the "Flouroacetate" team of Amat Cama and Richard Zhu.
Pwn2Own 2019 day two
Richard Zhu, in plaid shirt, and Amat Cama, right, watch as they compete in the 2019 Pwn2Own contest with a zero-day exploit against the Microsoft Edge web browser. (Zero Day Initiative / Twitter)

The first day of this year’s Pwn2Own competition featured successful zero-day exploits on a popular web browser, and day two was no different, with the “Fluoroacetate” duo of Amat Cama and Richard Zhu turning their attention to Mozilla’s Firefox and Microsoft’s Edge.

The team took home another $180,000 for their attacks, bringing their overall winnings to $340,000 for the competition, which highlights critical bugs in widely distributed software. Thursday’s winners also included Niklas Baumstark, who won $40,000 for a Firefox attack, and Arthur Gerkis of Exodus Intelligence, who won $50,000 for successfully targeting Edge.

Competitors spend months preparing for the annual Pwn2Own hacking contest in Vancouver, which takes place during the CanSecWest security conference. Participants are tasked with trying to find vulnerabilities in widely used technology, and rewarded with cash prizes. They are only given a short amount of time to demonstrate their exploits for the crowd and judges.

Team Flouroacetate’s attacks on day two of this year’s competition were noteworthy because of their apparent ease.  In their demonstrations Thursday, Cama and Zhu navigated Mozilla and Edge to a custom-made website that delivered the malicious code necessary to attack the browsers.


For the Firefox hack, they “leveraged a JIT bug in the browser, then used an out-of-bounds write in the Windows kernel to effectively take over the system. They were able to execute code at SYSTEM level” simply by navigating to their special site, according to a blog post from the Zero Day Initiative (ZDI), which runs Pwn2Own. JIT bugs involve the “just-in-time” compilers that browsers use to translate code — such as JavaScript — into the computer’s underlying machine language.

For their Edge attack, Cama and Zhu opened the software within a VMware Workstation client, browsed to the malicious webpage, and that’s all it took for them to execute code on the underlying hypervisor — the software that creates and runs virtual machines. “They started with a type confusion bug in the Microsoft Edge browser, then used a race condition in the Windows kernel followed by an out-of-bounds write in VMware workstation,” the blog post said. VMware is one of the sponsors of this year’s Pwn2Own.

Baumstark — who was part of the “phoenhex & qwerty” team that successfully hacked Safari on Wednesday — targeted Firefox on Thursday. “He used a JIT bug in the browser followed by a logic bug to escape the sandbox. In a real-world scenario, an attacker could use this to run their code on a target system at the level of the logged-on user,” ZDI said.


Gerkis attacked Edge, “using a double free bug in the renderer followed by a logic bug to bypass the sandbox,” ZDI said. Browsers sandboxes generally serve to isolate web-based software from interacting improperly with the rest of a computer’s operating system. Thursday was Gerkis’ first entry ever in Pwn2Own.

Friday’s competition is oriented around hacking the Tesla Model 3, marking the first time Pwn2Own has offered an automotive competition.

Latest Podcasts