Enlarge (credit: Heather Katsoulis ) Contestants at this year’s Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft’s heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days. According to a Friday morning tweet from the contest’s organizers, members of Qihoo 360’s security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware, contest organizers reported Friday morning on Twitter . The result was a ” complete virtual machine escape .” “We used a JavaScript engine bug within Microsoft Edge to achieve the code execution inside the Edge sandbox, and we used a Windows 10 kernel bug to escape from it and fully compromise the guest machine,” Qihoo 360 Executive Director Zheng Zheng wrote in an e-mail. “Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one. All started from and only by a controlled a website.” Read 7 remaining paragraphs | Comments
View the original here:
Virtual machine escape fetches $105,000 at Pwn2Own hacking contest [updated]
We asked for the worst stories you had about working in IT. You rose to the challenge and then some. We may need to wipe and reboot our brains to recover from these. Read more… 
wiredmikey writes: Home Depot said on Thursday that a data breach affecting its stores across the United States and Canada is estimated to have exposed 56 million customer payment cards between April and September 2014. While previous reports speculated that Home Depot had been hit by a variant of the BlackPOS malware that was used against Target Corp., the malware used in the attack against Home Depot had not been seen previously in other attacks. “Criminals used unique, custom-built malware to evade detection, ” the company said in a statement. The home improvement retail giant also that it has completed a “major payment security project” that provides enhanced encryption of payment card data at point of sale in its U.S. stores. According to a recent report from Trend Micro (PDF), six new pieces of point-of-sale malware have been identified so far in 2014. Read more of this story at Slashdot. 
3D printing can make an action figure copy of your body and face, but the hair usually ends up looking like a Lego minifig wig. The mad scientists at Disney Research just solved that, with an algorithm so powerful it can trace your hair’s shape and color with ultra-realism. Read more… 
alphadogg writes “Engineers are putting the final touches on a network capable of handling up to 54Tbps of traffic when the Winter Olympics opens on Feb. 7 in the Russian city of Sochi. The two locations where the Olympics will take place — the Olympic village in Sochi and a tight cluster of Alpine venues in the nearby Krasnaya Polyana Mountains — are completely new construction, so this project represents a greenfield environment for Avaya, the company heading up the project. In addition to investing in a telecom infrastructure, Russia is spending billions of dollars to upgrade Sochi’s electric power grid, its transportation system and even its sewage treatment facilities.” Read more of this story at Slashdot.