Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN

114003 cansecwest 2011

ZDNet reports that a MacBook running Safari was the first machine to fall victim to a security exploit in the PWN2OWN hacker challenge at the CanSecWest conference in Vancouver, Canada. French security researchers compromised the MacBook and launched code within five seconds of contacting the machine, winning a $15,000 cash prize and a new 13-inch MacBook Air for their efforts.

VUPEN co-founder Chaouki Bekrar lured a target MacBook to a specially rigged website and successfully launched a calculator on the compromised machine.

The hijacked machine was running a fully patched version of Mac OS X (64-bit).

In an interview with ZDNet, Bekrar said the vulnerability exists in WebKit, the open-source browser rendering engine. A three-man team of researchers spent about two weeks to find the vulnerability (using fuzzers) and writing a reliable exploit.

While Bekrar noted some difficulties in preparing the exploit due to a lack of documentation on how to exploit 64-bit Mac OS X code, his team was ultimately able to bypass several anti-exploit tactics included in Mac OS X to demonstrate how a machine could become comprised simply by visiting a malicious webpage and without crashing the browser.

Macs have become popular targets for researchers seeking to find security holes, with CanSecWest being a major forum for discussion and demonstration of their work. In 2007, the conference sponsored a "Hack a Mac" contest with a $10,000 cash prize, although organizers did have to loosen the contest rules before researchers succeeded in compromising a MacBook.

The following year, a MacBook Air was the first to be compromised at PWN2OWN, falling victim to a exploit initiated through Safari. Apple released a Safari update just a few weeks later to address that issue. And in 2010, noted researcher Charlie Miller used the conference to expose 20 zero-day holes in Mac OS X, claiming that Mac users' infrequent run-ins with hackers have primarily been due to "security by obscurity", with most malicious hackers preferring to attack Windows platforms with substantially larger user bases.

Notably, Apple is said to have reached out to security researchers for the first time with the initial developer build of Mac OS X Lion, inviting them to test out the forthcoming operating system in hopes of finding and patching as many holes as possible before Lion reaches customers' hands later this year. Miller and some other researchers have, however, scaled back their reporting of security flaws to Apple in the face of its refusal to match other companies' offerings of cash rewards for finding such holes.

Popular Stories

ios 16 beta 5 battery percent

iOS 16 Beta 5: Battery Percentage Now Displayed in iPhone Status Bar

Monday August 8, 2022 10:43 am PDT by
With the fifth beta of iOS 16, Apple has updated the battery icon on iPhones with Face ID to display the specific battery percentage rather than just a visual representation of battery level. The new battery indicator is available on iPhone 12 and iPhone 13 models, with the exception of the 5.4-inch iPhone 12/13 mini. It is also available on the iPhone 11 Pro and Pro Max, XS and XS Max, and...
iPhone 14 Lineup Feature Purple

Color Options for All iPhone 14 Models: Everything We Know

Monday August 8, 2022 3:59 am PDT by
The iPhone 14 and iPhone 14 Pro models are rumored to be available in a refreshed range of color options, including an all-new purple color. Most expectations about the iPhone 14 lineup's color options come from an unverified post on Chinese social media site Weibo earlier this year. Overall, the iPhone 14 and iPhone 14 Pro's selection of color options could look fairly similar to those of the ...
iOS 16 battery percentage

Apple Limiting iOS 16 Beta 5 Battery Percentage Display to Select iPhones: Here Are the Supported Devices

Tuesday August 9, 2022 2:51 am PDT by
Apple this week brought back one of the most highly requested features from iOS users since the launch of the iPhone X in 2017: the ability to see your battery percentage directly in the status bar. Ever since the launch of the iPhone X with the notch, Apple has not allowed users to show their battery percentage directly in the status bar, forcing them to swipe down into Control Center to...
ios 16 battery indicator 2

Everything New in iOS 16 Beta 5: Battery Percentage in Status Bar, Find My Changes and More

Monday August 8, 2022 12:53 pm PDT by
Apple today seeded the fifth beta of iOS 16 to developers for testing purposes, introducing some small but notable changes to the iOS operating system. Subscribe to the MacRumors YouTube channel for more videos. We've rounded up everything new in the fifth beta below. Battery Percentage in Status Bar The battery icon in the status bar now displays the exact battery percent, a feature that ...
iphone 14 pro max camera bump compared lipilipsi 16 9

Bigger iPhone 14 Pro Max Camera Bump Shown Alongside iPhone 13 Pro Max

Monday August 8, 2022 4:33 am PDT by
The camera bump on the upcoming iPhone 14 Pro Max is expected to be the largest rear lens housing Apple has ever installed on its flagship smartphones, and a new photo offers a rare glimpse at just how prominent it is compared to Apple's predecessor device. iPhone 14 Pro Max dummy (left) vs iPhone 13 Pro Max All iPhone 14 models are expected to see upgrades to the Ultra Wide camera on the...
cook sept 2020 event

Gurman: Apple Preparing Pre-Recorded iPhone 14 and Apple Watch Series 8 Event

Sunday August 7, 2022 6:13 am PDT by
Apple has "started to record" its virtual September event, where it's expected to announce the upcoming iPhone 14 lineup, the Apple Watch Series 8, and a new "rugged" Apple Watch model, according to Bloomberg's Mark Gurman. Writing in his latest Power On newsletter, Gurman says the event, which is expected to take place in the early part of September, is already under production, implying...
airpods pro black background

Beyond iPhone 14: Five Apple Products Expected to Launch Later This Year

Monday August 8, 2022 9:43 am PDT by
While the iPhone 14 and Apple Watch Series 8 are expected to be announced in September as usual, there are several more Apple products rumored to launch later this year, including new iPad and Mac models and more. Beyond the iPhone and Apple Watch, we've put together a list of five Apple products that are most likely to be unveiled by the end of 2022. Second-Generation AirPods Pro Apple...