Two critical zero-day Safari vulnerabilities exposed at Vancouver security conference

Posted:
in macOS
Two major Safari security flaws were uncovered at this week's Pwn2Own conference in Vancouver, one of which could seize full control of a targeted Mac.

Apple Safari


Demonstrated by the "phoenhex & qwerty" team during the contest, the biggest vulnerability involves a website triggering a JIT bug and two heap out-of-bounds reads, then a time-of-check-time-of-use bug to move from root access to the kernel. Though Apple is reportedly aware of one of the bugs used, the team won $45,000 for their efforts.

Another team, "Fluoroacetate," took home $55,000 for finding a way of escaping macOS sandboxing via a Safari integer overflow and a heap overflow. The hack did however take nearly all of the team's allotted time, since at one point it relied on a brute force technique -- that is, it had to fail repeatedly before succeeding.

Along with cash prizes, which totalled $240,000 in the first day alone, teams also receive the notebooks the exploits are demonstrated on, as well as "Master of Pwn" points for the overall competition.

Pwn2Own Vancouver is being hosted by Trend Micro's Zero Day Initiative. The program offers financial incentives to white-hat hackers after validating their efforts, with increasing payouts if they remain loyal.

The competition and incentives are attempts for hackers and researchers to warn developers and companies about security issues in a responsible manner, instead of selling the exploits to black-hat hackers. While the issues could net higher rewards by selling to bad actors, it would also leave software vulnerable to attack until the issue was discovered and disclosed by others.

While this primarily benefits Trend Micro's security products, it also notifies vendors like Apple, ideally improving overall platform security. Full details on the new Safari flaws won't be made public until Apple has issued a patch, which depending on the flaw and disclosure requirements, could take months.

Apple products are regularly cracked at Pwn2Own, as are Microsoft's and third-party browsers. Two other Safari exploits were uncovered at 2018's edition of the conference, for example.
«1

Comments

  • Reply 1 of 26
    racerhomie3racerhomie3 Posts: 1,062member
    This is excellent. Good job security guys. Thanks for making all Apple platforms better.
    mac_dogchasmdewme
  • Reply 2 of 26
    Is there any way to tell if these exploits have ever been used in the wild?
  • Reply 3 of 26
    coolfactorcoolfactor Posts: 1,451member

    Apple products are regularly cracked at Pwn2Own, as are Microsoft's and third-party browsers.

    Convenient how you don't mention Chrome or Firefox directly. Not a big fan of Safari?


  • Reply 4 of 26
    What's Safari? Who uses that? It was good 10 years ago, but now it is Chrome or Firefox only.
  • Reply 5 of 26
    elijahgelijahg Posts: 883member
    What's Safari? Who uses that? It was good 10 years ago, but now it is Chrome or Firefox only.
    I use it probably more than any other app on my Macs, and it is great. Faster than FF and Chrome - also without the tracking features, it syncs well with my other Macs and iPhone. Oh and supports handoff. Plus uses much less RAM than Chrome especially. Lots of people seem to be moving away from Chrome back to FF actually.
    lkrupppropodberndogStrangeDaysfastasleepuraharalostkiwichasm
  • Reply 6 of 26
    gatorguygatorguy Posts: 20,453member

    Apple products are regularly cracked at Pwn2Own, as are Microsoft's and third-party browsers.

    Convenient how you don't mention Chrome or Firefox directly. Not a big fan of Safari?


    No it's convenient how you don't bother reading the source for the story linked in the AI article to see why, yet want to imply AI is hiding something.
    Try this for an idea: Read it and you'll figure out for yourself why Chrome and Firefox weren't mentioned. 
    beowulfschmidtelijahgfastasleepchristophb
  • Reply 7 of 26
    chadbagchadbag Posts: 1,080member
    What's Safari? Who uses that? It was good 10 years ago, but now it is Chrome or Firefox only.
    What’s Chrome?

    oh, you mean the bloated spyware from Google?
    berndogStrangeDaysElCapitanlostkiwi
  • Reply 8 of 26
    lkrupplkrupp Posts: 6,969member

    Apple products are regularly cracked at Pwn2Own, as are Microsoft's and third-party browsers. 
    So let’s not have a hissy fit and single out Safari for ridicule shall we.
    chasm
  • Reply 9 of 26
    DAalsethDAalseth Posts: 577member
    What's Safari? Who uses that? It was good 10 years ago, but now it is Chrome or Firefox only.
    Not in my house. Chrome is just a data mining tool and I won't install it on my systems,.
    ericthehalfbeeMplsPpropodberndogmacseekerStrangeDaysElCapitanlostkiwichasm
  • Reply 10 of 26
    lkrupplkrupp Posts: 6,969member
    What's Safari? Who uses that? It was good 10 years ago, but now it is Chrome or Firefox only.
    Almost everybody who owns a Mac uses Safari exclusively, including me. Your holier than-thou-attitude is cute though.
    edited March 21 StrangeDaysfastasleepuraharachasm
  • Reply 11 of 26
    lkrupplkrupp Posts: 6,969member

    gatorguy said:

    Apple products are regularly cracked at Pwn2Own, as are Microsoft's and third-party browsers.

    Convenient how you don't mention Chrome or Firefox directly. Not a big fan of Safari?


    No it's convenient how you don't bother reading the source for the story linked in the AI article to see why, yet want to imply AI is hiding something.
    Try this for an idea: Read it and you'll figure out for yourself why Chrome and Firefox weren't mentioned. 
    Because they weren’t involved. Firefox and Microsoft Edge up next on day two. Day three is for automotive software. No mention of Chrome, I guess because it’s so trivial to pwn because of its spyware base code.
    edited March 21 lostkiwidavidw
  • Reply 12 of 26
    gatorguygatorguy Posts: 20,453member
    lkrupp said:

    gatorguy said:

    Apple products are regularly cracked at Pwn2Own, as are Microsoft's and third-party browsers.

    Convenient how you don't mention Chrome or Firefox directly. Not a big fan of Safari?


    No it's convenient how you don't bother reading the source for the story linked in the AI article to see why, yet want to imply AI is hiding something.
    Try this for an idea: Read it and you'll figure out for yourself why Chrome and Firefox weren't mentioned. 
    Because they weren’t involved. Firefox and Microsoft Edge up next on day two. Day three is for automotive software. No mention of Chrome, I guess because it’s so trivial to pwn because of its spyware base code.
    I was trying to encourage him to follow the link himself. AI very often includes those in their articles, but a whole lot of folks don't bother reading them for additional context before commenting, sometimes inaccurately as a result. Then it takes several posts in before pertinent facts are mentioned and misconceptions cleared up. 
    electrosoftmknelson
  • Reply 13 of 26
    StrangeDaysStrangeDays Posts: 7,331member
    elijahg said:
    What's Safari? Who uses that? It was good 10 years ago, but now it is Chrome or Firefox only.
    I use it probably more than any other app on my Macs, and it is great. Faster than FF and Chrome - also without the tracking features, it syncs well with my other Macs and iPhone. Oh and supports handoff. Plus uses much less RAM than Chrome especially. Lots of people seem to be moving away from Chrome back to FF actually.
    Yeah this guy is nuts, a rabid hater only. Safari is far more efficient and uses less power than Chrome. Plus has superior content blockers, plus cookie/tracker blockers. Chrome is a surveillance device for Google properties. 
    fastasleeplostkiwi
  • Reply 14 of 26
    RayerRayer Posts: 13member
    lkrupp said:
    What's Safari? Who uses that? It was good 10 years ago, but now it is Chrome or Firefox only.
    Almost everybody who owns a Mac uses Safari exclusively, including me. Your holier than-thou-attitude is cute though.
    Care to provide a citation instead of your opinion?
  • Reply 15 of 26
    teams also receive the notebooks the exploits are demonstrated on

    I'd be reluctant to take a computer back from an effective hacking team, too.  ;^)

  • Reply 16 of 26

    Apple products are regularly cracked at Pwn2Own, as are Microsoft's and third-party browsers.

    Convenient how you don't mention Chrome or Firefox directly. Not a big fan of Safari?


    Don't worry bud.  The big money payouts are for escaping Tesla, Microsoft, and Google.  No one is picking on Apple.
    Payouts for exploits
  • Reply 17 of 26
    gatorguygatorguy Posts: 20,453member
    lkrupp said:

    gatorguy said:

    Apple products are regularly cracked at Pwn2Own, as are Microsoft's and third-party browsers.

    Convenient how you don't mention Chrome or Firefox directly. Not a big fan of Safari?


    No it's convenient how you don't bother reading the source for the story linked in the AI article to see why, yet want to imply AI is hiding something.
    Try this for an idea: Read it and you'll figure out for yourself why Chrome and Firefox weren't mentioned. 
    Because they weren’t involved. Firefox and Microsoft Edge up next on day two. Day three is for automotive software. No mention of Chrome, I guess because it’s so trivial to pwn because of its spyware base code.
    Yes there is. A Chrome hack could be worth as much as $80K. It's right there on the site. 
  • Reply 18 of 26
    elijahg said:
    What's Safari? Who uses that? It was good 10 years ago, but now it is Chrome or Firefox only.
    I use it probably more than any other app on my Macs, and it is great. Faster than FF and Chrome - also without the tracking features, it syncs well with my other Macs and iPhone. Oh and supports handoff. Plus uses much less RAM than Chrome especially. Lots of people seem to be moving away from Chrome back to FF actually.
    Yeah this guy is nuts, a rabid hater only. Safari is far more efficient and uses less power than Chrome. Plus has superior content blockers, plus cookie/tracker blockers. Chrome is a surveillance device for Google properties. 
    Is it only me, or have content blockers in Safari never been able to block the video ads on Youtube?
    edited March 21
  • Reply 19 of 26
    fastasleepfastasleep Posts: 2,722member
    What's Safari? Who uses that? It was good 10 years ago, but now it is Chrome or Firefox only.
    /eyeroll 

    Safari is faster, less memory hungry, more energy efficient, and better integrated across iOS and macOS both including but not limited to Handoff, Apple Pay, iCloud Keychain, and on and on. 

    I only use FIrefox Developer edition for my work stuff, to keep that fully separated when actively working on client sites. I’m not really sure why anyone would choose to use Firefox over Safari except for the sheer amount of tweaking you can do to it via all the themes and extensions available. The only reason I have Chrome installed at all is because of web dev testing and bug stomping, otherwise I’d never let that shit anywhere close to my Mac. 

    I often ask clients and friends why they use Chrome or FF and they usually can’t give a good answer. Often they don’t even sign into their accounts across separate machines or OSes to sync all their bookmarks/history/etc. It’s baffling, just like your specious claim that Safari is somehow inferior. 
    StrangeDays
  • Reply 20 of 26
    maltzmaltz Posts: 129member
    DAalseth said:
    What's Safari? Who uses that? It was good 10 years ago, but now it is Chrome or Firefox only.
    Not in my house. Chrome is just a data mining tool and I won't install it on my systems,.
    Firefox is pretty good though.  Probably better than Safari in regards to privacy, with built-in tracker blocking and browser fingerprint resistance.  (Both are off by default, but they're there.)  The tracker blocking is actually fairly comprehensive ad blocking, since almost all ads are also trackers these days.
    lostkiwi
Sign In or Register to comment.