Two major Safari security flaws were uncovered at this week's Pwn2Own conference in Vancouver, one of which could seize full control of a targeted Mac.
Demonstrated by the "phoenhex & qwerty" team during the contest, the biggest vulnerability involves a website triggering a JIT bug and two heap out-of-bounds reads, then a time-of-check-time-of-use bug to move from root access to the kernel. Though Apple is reportedly aware of one of the bugs used, the team won $45,000 for their efforts.
Another team, "Fluoroacetate," took home $55,000 for finding a way of escaping macOS sandboxing via a Safari integer overflow and a heap overflow. The hack did however take nearly all of the team's allotted time, since at one point it relied on a brute force technique — that is, it had to fail repeatedly before succeeding.
Along with cash prizes, which totalled $240,000 in the first day alone, teams also receive the notebooks the exploits are demonstrated on, as well as "Master of Pwn" points for the overall competition.
Pwn2Own Vancouver is being hosted by Trend Micro's Zero Day Initiative. The program offers financial incentives to white-hat hackers after validating their efforts, with increasing payouts if they remain loyal.
The competition and incentives are attempts for hackers and researchers to warn developers and companies about security issues in a responsible manner, instead of selling the exploits to black-hat hackers. While the issues could net higher rewards by selling to bad actors, it would also leave software vulnerable to attack until the issue was discovered and disclosed by others.
While this primarily benefits Trend Micro's security products, it also notifies vendors like Apple, ideally improving overall platform security. Full details on the new Safari flaws won't be made public until Apple has issued a patch, which depending on the flaw and disclosure requirements, could take months.
Apple products are regularly cracked at Pwn2Own, as are Microsoft's and third-party browsers. Two other Safari exploits were uncovered at 2018's edition of the conference, for example.
26 Comments
This is excellent. Good job security guys. Thanks for making all Apple platforms better.
Is there any way to tell if these exploits have ever been used in the wild?
What's Safari? Who uses that? It was good 10 years ago, but now it is Chrome or Firefox only.