The annual hacking competition, organized by Trend Micro’s Zero Day Initiative, unearthed a raft of major bugs across multiple platforms
Richard Zhu – also known as fluorescence – won $120,000 in the event after exposing security flaws in the both of the browsers.
He successfully targeted Microsoft Edge by using two use-after-free (UAF) bugs in the browser and an integer overflow in the kernel, allowing him to inject code with elevated privileges.
Two previous attempts saw Zhu fail, and at one point his target blue-screened in front of crowds.
But the third successful try saw him earn $70,000 and seven points.
On day two, Zhu attacked Mozilla Firefox with a Windows kernel elevation of privileges (EoP) on his first attempt by using an out-of-bounds (OOB) in the browser before using an integer overflow.
He earned a further $50,000 for this exploit and five Master of Pwn points – crowning him as the leader of this year’s tournament.
Zhu was also awarded $20,000 for an exploit in Safari, though he ran out of time to execute this and wasn’t awarded any more points.
Elsewhere in the competition, Samuel GroB, or 5aelo, of team phoenhex came in second place with six points after targeting Apple Safari with a macOS kerner EoP.
He managed to execute code with a kernel extension, bagging $65,000 for his efforts.
In third place was a team from MWR labs gained code execution in Apple’s Safari browser.
They used a sandbox escape to perform code execution, gaining $55,000 and five Master of Pwn points.
China ban
This year, the Chinese government banned its citizens from taking part in the competition.
A new policy stops research teams from attending global exploit contests, especially those held in Western countries, such as Pwn2Own.
This meant tech giants Qihoo 360, Tencent and Alibaba – who are usually tough competitors – bowed out for 2018.
Some have claimed this move was made to stop Chinese researchers from sharing their knowledge with other countries.
Brian Gorenc, director of Pwn2Own, told Cyberscoop: “There have been regulatory changes in some countries that no longer allow participation in global exploit contests, such as Pwn2Own and Capture the Flag competitions.”
A spokesperson from Trend Micro, which sponsors the contest alongside Microsoft, confirmed that his comments were related to China.