Windows 10 is handled. Chinese hackers win Windows 10 through Edge.

Windows 10 is handled. Chinese hackers win Windows 10 through Edge.

Lu renjia: tell a joke.

Passerby B: Windows is safe.

Passerby A + passerby B: Haha

In order to make such a joke a historical one, Microsoft joined hands. Do not underestimate Windows 10, at the time of development, Microsoft joined numerous advanced security mechanisms (control flow Execution Protection, font isolation, virtualization security, and simplified Symbolic Links) for the system. ). The Edge browser of Windows 10 and Windows 10 are equipped with an extremely "cruel" security policy because it has no historical burden, and security has broken away eight streets of IE.

So MJ0011 received the message.

At the POC Hacker Conference held in Seoul, South Korea, the Microsoft "K Star" demonstrated the sandbox escape operation on Edge, taking Edge as the entrance, flashing into the system and winning control permissions. With just a few simple operations, you can access your files and monitor your computer.

It is worth mentioning that this MJ attack combines a remote code execution vulnerability, which means that attackers can achieve remote control of the system only through remote operations. Using this method to intrude into the highly protected Windows system, it is almost the highest level of attacks that can be achieved at present.

How strong Edge is

At the Pwn2Own hacker competition earlier this year, MJ0011 (MJ for short) attracted much attention for leading his Vulcan team to break IE in 17 seconds. Although IE of that version enables all security protection, it is a little dumb compared with Edge.

MJ told xiaobian:

Edge is equivalent to all protection methods of IE enabled by default, and many new protection policies are added. Even friends who are engaged in the vulnerability business complain all day that they cannot receive the Edge vulnerability.

However, there are advantages and disadvantages in everything. Edge forces teeth too heavily, resulting in almost no plug-ins. Even many of Microsoft's own websites cannot be opened using Edge. To prevent excessive face attacks, Microsoft made a compromise, that is, to allow some web pages to jump to IE to open. (Nana? Back to "good friend" IE! The brain fills the corner of MJ's mouth .)

Therefore, relying on the "old friend of the Chinese people"-IE, MJ long drive into, riding a dust.

Microsoft Edge Browser

Microsoft's "acknowledgment" and "apology"

In fact, Edge Cracking was completed a few months ago. The only reason for making public the technical details is to allow Microsoft time to fix the vulnerability.

Microsoft is a good friend of MJ. MJ has submitted critical vulnerabilities several times and won Microsoft's acknowledgment or reward. However, this response from Microsoft does not seem satisfactory.

In fact, this attack requires two vulnerabilities.

1. Flash Vulnerability (used for remote code execution, which is suitable for the system sandbox. This vulnerability belongs to Adobe ).

2. Sandbox Escape Vulnerability (this vulnerability is used to escape from the system sandbox by exploiting the IE vulnerability and gain permissions. This vulnerability belongs to Microsoft ).

Adobe quickly fixed the vulnerability submitted by MJ. However, Microsoft was delayed and replied to MJ, indicating that the vulnerability did not look serious, you just need to set protection in IE! But MJ does not agree. There are two reasons for him:

1. The security of Edge is guaranteed by modifying the IE settings, which is so weird. In addition, many users do not know how to set IE.

2. In July October, MJ found a new method to exploit this vulnerability, and even setting IE would not help.

For public security, MJ sent numerous emails to Microsoft and reflected the situation face to the person in charge of Microsoft's vulnerability program. However, MJ did not receive a very positive response. Therefore, MJ, who has waited for half a year, decided not to leave a face for Microsoft. But before he came to South Korea, Microsoft contacted him and hoped to apologize to him and fix the vulnerability. For the sake of caution, MJ temporarily decided to smear some of the most critical information, and the conference team did not decide whether to publish the presentation.

Is there an impulse to beat people when we see MJ's "confidential version" PPT?

MJ has more "secret weapons"

James, a hacker of the famous google "0 Plan""Two steps ahead and one step back"To describe the security improvement of Microsoft Windows 10.

Compared with previous versions, Win10 adopts many new mechanisms to rewrite these codes. New vulnerabilities may occur during the compilation process. So there are still weak links in the new system.

In this case, the "battle" between him and Microsoft is far from stopping.

MJ also revealed in his speech at the POC that he still had master of Microsoft's 0-day vulnerability, which will be used in next year's Pwn2Own competition. "After Pwn2Own next year, I will submit this vulnerability to Microsoft whether or not I have used it ." He said.

The Vulcan team led by MJ has a Slogen:

Live long and Pwn!

(Anything can be broken after a long life)

(Endless life, more than cracking)

Those who have lived with vulnerabilities may be the lifestyle that MJ understands. Perhaps the greatest pleasure for him is the moment:

In the POC Conference demonstration, click the mouse a few times to bring up a picture indicating the successful Cracking --"Hello World". In a flash, the audience burst into thunderous applause.