ArsTechnica reports today on a successful VM escape exploit employed during this year’s Pwn2Own hacking contest. Most impressively, it’s launchable from a webpage: the exploit doesn’t even need to run directly in the guest VM, but can run straight from Microsoft Edge on a guest Windows 10.
Naturally, this type of exploit is always more than a little unsettling. The most reliable way to sandbox programs is to run them in a virtual machine; a properly virtualised program will never be able to touch the host operating system, the principle goes, and we often rely on it.
The contestants have been awarded a handsome $105,000 for their efforts, making them this contest’s biggest victors. Expect the relevant bugs to be patched before their details are released publically — just make sure you keep your software updated in the meantime.