Andrew Wesie is a security researcher at Theori, specializing in exploitation and reverse engineering. He is also an avid CTF player with four wins at DEFCON CTF finals as part of Plaid Parliament of Pwning (PPP). When he is not hacking browsers or playing CTFs, he is developing software-defined radio applications and contributing to the Wine project.
[Abstract]
==========
Browsers remain a ripe source of vulnerabilities, with 80+ CVEs during 2017 for Microsoft Edge alone. These vulnerabilities are often fueled by new features in the Javascript language and deeper analysis of the backend JIT engines by security researchers. At the same time, browser vendors have continued to improve security through additional mitigations and sandboxing. We will discuss the methodology of exploiting browsers in 2017 by analyzing recent patches and developing 1-day exploits for Microsoft Edge. We will also analyze a recent vulnerability in the Windows kernel and use it to escalate our privileges.