The 2017 Pwnie Nominee For Epic Achievement

360 Security (Qihoo)


This team took away ZDI’s Pwn2Own master prize by chaining three 0day exploits, taking them from browser sandbox to virtual machine escape on a fully patched VMWare Workstation. This was a first for ZDI. The initial vulnerability exploited a heap overflow in Microsoft Edge, followed by a kernel type confusion bug, ending in an uninitialized buffer vulnerability in SVGA, resulting in the highest payout from ZDI ($105k).