Two critical zero-day Safari vulnerabilities exposed at Vancouver security conference
Two major Safari security flaws were uncovered at this week's Pwn2Own conference in Vancouver, one of which could seize full control of a targeted Mac.
Demonstrated by the "phoenhex & qwerty" team during the contest, the biggest vulnerability involves a website triggering a JIT bug and two heap out-of-bounds reads, then a time-of-check-time-of-use bug to move from root access to the kernel. Though Apple is reportedly aware of one of the bugs used, the team won $45,000 for their efforts.
Another team, "Fluoroacetate," took home $55,000 for finding a way of escaping macOS sandboxing via a Safari integer overflow and a heap overflow. The hack did however take nearly all of the team's allotted time, since at one point it relied on a brute force technique -- that is, it had to fail repeatedly before succeeding.
Along with cash prizes, which totalled $240,000 in the first day alone, teams also receive the notebooks the exploits are demonstrated on, as well as "Master of Pwn" points for the overall competition.
Pwn2Own Vancouver is being hosted by Trend Micro's Zero Day Initiative. The program offers financial incentives to white-hat hackers after validating their efforts, with increasing payouts if they remain loyal.
The competition and incentives are attempts for hackers and researchers to warn developers and companies about security issues in a responsible manner, instead of selling the exploits to black-hat hackers. While the issues could net higher rewards by selling to bad actors, it would also leave software vulnerable to attack until the issue was discovered and disclosed by others.
While this primarily benefits Trend Micro's security products, it also notifies vendors like Apple, ideally improving overall platform security. Full details on the new Safari flaws won't be made public until Apple has issued a patch, which depending on the flaw and disclosure requirements, could take months.
Apple products are regularly cracked at Pwn2Own, as are Microsoft's and third-party browsers. Two other Safari exploits were uncovered at 2018's edition of the conference, for example.
Demonstrated by the "phoenhex & qwerty" team during the contest, the biggest vulnerability involves a website triggering a JIT bug and two heap out-of-bounds reads, then a time-of-check-time-of-use bug to move from root access to the kernel. Though Apple is reportedly aware of one of the bugs used, the team won $45,000 for their efforts.
Another team, "Fluoroacetate," took home $55,000 for finding a way of escaping macOS sandboxing via a Safari integer overflow and a heap overflow. The hack did however take nearly all of the team's allotted time, since at one point it relied on a brute force technique -- that is, it had to fail repeatedly before succeeding.
Along with cash prizes, which totalled $240,000 in the first day alone, teams also receive the notebooks the exploits are demonstrated on, as well as "Master of Pwn" points for the overall competition.
Pwn2Own Vancouver is being hosted by Trend Micro's Zero Day Initiative. The program offers financial incentives to white-hat hackers after validating their efforts, with increasing payouts if they remain loyal.
The competition and incentives are attempts for hackers and researchers to warn developers and companies about security issues in a responsible manner, instead of selling the exploits to black-hat hackers. While the issues could net higher rewards by selling to bad actors, it would also leave software vulnerable to attack until the issue was discovered and disclosed by others.
While this primarily benefits Trend Micro's security products, it also notifies vendors like Apple, ideally improving overall platform security. Full details on the new Safari flaws won't be made public until Apple has issued a patch, which depending on the flaw and disclosure requirements, could take months.
Apple products are regularly cracked at Pwn2Own, as are Microsoft's and third-party browsers. Two other Safari exploits were uncovered at 2018's edition of the conference, for example.
Comments
Convenient how you don't mention Chrome or Firefox directly. Not a big fan of Safari?
Try this for an idea: Read it and you'll figure out for yourself why Chrome and Firefox weren't mentioned.
oh, you mean the bloated spyware from Google?
Because they weren’t involved. Firefox and Microsoft Edge up next on day two. Day three is for automotive software. No mention of Chrome, I guess because it’s so trivial to pwn because of its spyware base code.
I'd be reluctant to take a computer back from an effective hacking team, too. ;^)
Payouts for exploits
Safari is faster, less memory hungry, more energy efficient, and better integrated across iOS and macOS both including but not limited to Handoff, Apple Pay, iCloud Keychain, and on and on.
I only use FIrefox Developer edition for my work stuff, to keep that fully separated when actively working on client sites. I’m not really sure why anyone would choose to use Firefox over Safari except for the sheer amount of tweaking you can do to it via all the themes and extensions available. The only reason I have Chrome installed at all is because of web dev testing and bug stomping, otherwise I’d never let that shit anywhere close to my Mac.
I often ask clients and friends why they use Chrome or FF and they usually can’t give a good answer. Often they don’t even sign into their accounts across separate machines or OSes to sync all their bookmarks/history/etc. It’s baffling, just like your specious claim that Safari is somehow inferior.