Pwn2Own 2016 - The Results are In: Browsers Are Still Not Secure

March, 18, 2016 Franklyn Jones

The annual Pwn2Own hacking event, held each year at CanSecWest in Vancouver, is the very definition of geek fun. Imagine white hat teams from all over the world coming together with the singular goal of competing for significant cash prizes by hacking into the latest versions of "secure" web browsers. Good times.

As a reminder, the star last year was Jung Hoon Lee from South Korea, who broke through Chrome in just 2 minutes. Well, it's been a full year, and it's clear that Chrome has become a far more secure browser because it required a full 11 minutes for the 360Vulcan team from China to successfully hack Chrome this year.

Despite this impressive achievement, the coveted "Master of Pwn" title was ultimately awarded to Tencent Security Team Sniper following "its successful code execution of a vulnerability in Microsoft's Edge browser." The same team also successfully exploited Safari's vulnerabilities. In the end, $460,000 in cash prizes were awarded to the various teams involved. Well done.

Results of every Pwn2Own event are a continual reminder than no web browser is secure, despite sincere best efforts by the companies that stand behind them. In their defense, browsers were never intended to be security tools.

But all of this raises one important question - why would you allow unknown code from an unknown source to be downloaded and rendered on secure endpoint devices inside your otherwise secure network? There's an unfortunate irony here, given the amount of money companies spend each year on security technologies to keep bad stuff out, and protect their network perimeter and endpoint devices. It doesn't seem quite right, does it?

This is why a growing number of organizations are looking at solutions that can isolate all original web content outside their networks, to ensure that no web malware ever comes inside their networks. With Isolation Technology, browsers on endpoint devices are never responsible for rendering web content - only displaying a transformed version of that content. This effectively eliminates the web browser as a primary attack vector, significantly improves network security, and restores web freedom for users inside the network. Learn more about this technology by watching this short 3-minute video.

Franklyn Jones, CMO, Spikes Security


Keep informed.