Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN

114003 cansecwest 2011

ZDNet reports that a MacBook running Safari was the first machine to fall victim to a security exploit in the PWN2OWN hacker challenge at the CanSecWest conference in Vancouver, Canada. French security researchers compromised the MacBook and launched code within five seconds of contacting the machine, winning a $15,000 cash prize and a new 13-inch MacBook Air for their efforts.

VUPEN co-founder Chaouki Bekrar lured a target MacBook to a specially rigged website and successfully launched a calculator on the compromised machine.

The hijacked machine was running a fully patched version of Mac OS X (64-bit).

In an interview with ZDNet, Bekrar said the vulnerability exists in WebKit, the open-source browser rendering engine. A three-man team of researchers spent about two weeks to find the vulnerability (using fuzzers) and writing a reliable exploit.

While Bekrar noted some difficulties in preparing the exploit due to a lack of documentation on how to exploit 64-bit Mac OS X code, his team was ultimately able to bypass several anti-exploit tactics included in Mac OS X to demonstrate how a machine could become comprised simply by visiting a malicious webpage and without crashing the browser.

Macs have become popular targets for researchers seeking to find security holes, with CanSecWest being a major forum for discussion and demonstration of their work. In 2007, the conference sponsored a "Hack a Mac" contest with a $10,000 cash prize, although organizers did have to loosen the contest rules before researchers succeeded in compromising a MacBook.

The following year, a MacBook Air was the first to be compromised at PWN2OWN, falling victim to a exploit initiated through Safari. Apple released a Safari update just a few weeks later to address that issue. And in 2010, noted researcher Charlie Miller used the conference to expose 20 zero-day holes in Mac OS X, claiming that Mac users' infrequent run-ins with hackers have primarily been due to "security by obscurity", with most malicious hackers preferring to attack Windows platforms with substantially larger user bases.

Notably, Apple is said to have reached out to security researchers for the first time with the initial developer build of Mac OS X Lion, inviting them to test out the forthcoming operating system in hopes of finding and patching as many holes as possible before Lion reaches customers' hands later this year. Miller and some other researchers have, however, scaled back their reporting of security flaws to Apple in the face of its refusal to match other companies' offerings of cash rewards for finding such holes.

Popular Stories

iPhone trade in

Apple Adjusts Trade-In Values for iPhones, Macs, and More

Wednesday January 25, 2023 9:40 am PST by
After announcing new Mac and HomePod models last week, Apple adjusted its trade-in values for select devices in the United States. iPhone trade-in values decreased by up to $80, and most Android smartphones also went down. Mac trade-in values remained unchanged or increased by up to $40 depending on the model, while some Apple Watch models increased in value and others decreased. Trade-in...
iPhone 14 Pro Purple Side Perspective Feature Purple

iPhone 15 Pro Expected Later This Year With These 7 Exclusive Features

Tuesday January 24, 2023 4:53 pm PST by
Apple's next-generation iPhone 15 Pro and iPhone 15 Pro Max are expected to be announced in September as usual. Already, rumors suggest the devices will have at least seven exclusive features not available on the standard iPhone 15 and iPhone 15 Plus. An overview of the seven features rumored to be exclusive to iPhone 15 Pro models:A17 chip: iPhone 15 Pro models will be equipped with an A17...
Mac mini M2 2023

New 256GB Mac Mini and 512GB MacBook Pro Have Slower SSD Speeds Than Previous Models

Tuesday January 24, 2023 1:11 pm PST by
While the new Mac mini with the M2 chip has a lower $599 starting price, the base model with 256GB of storage has slower SSD read and write speeds compared to the previous-generation model with the M1 chip and 256GB of storage. A teardown of the new Mac mini shared by YouTube channel Brandon Geekabit reveals that the 256GB model is equipped with only a single 256GB storage chip, while the...
apple tv 4k red image

Apple Releases tvOS 16.3

Tuesday January 24, 2023 10:10 am PST by
Apple today released tvOS 16.3, the third major point update to the tvOS 16 operating system that originally came out in September. Available for the Apple TV 4K and Apple TV HD, tvOS 16.3 comes six weeks after tvOS 16.2, an update that added Apple Music Sing. The tvOS 16.3 update can be downloaded over the air through the Settings app on the ‌‌‌‌Apple TV‌‌‌‌ by going to System > Software...
watchOS 9 Feature

Apple Releases watchOS 9.3 With New Watch Face, Bug Fixes

Monday January 23, 2023 10:06 am PST by
Apple today released watchOS 9.3, the third major update to the watchOS 9 operating system that first launched in September. watchOS 9.3 comes over a month after watchOS 9.2, an update that added new Workout functionality and Crash Detection optimizations. watchOS 9.3 can be downloaded for free through the Apple Watch app on the iPhone by opening it up and going to General > Software Update. ...
iOS 16

iOS 16.3 for iPhone Launching Next Week With These 4 New Features

Friday January 20, 2023 11:43 am PST by
In a recent press release, Apple confirmed that iOS 16.3 will be released to the public next week. The software update will be available for the iPhone 8 and newer and includes a handful of new features, changes, and bug fixes. Below, we've recapped bigger features in iOS 16.3, including support for physical security keys as a two-factor authentication option for Apple ID accounts, worldwide ...
maxresdefault

Hands-On With the New M2 Pro Mac Mini

Tuesday January 24, 2023 1:45 pm PST by
The new M2-series MacBook Pro and Mac mini models launched today, marking the debut of the first M2 Pro and M2 Max chips. We have the M2 Pro Mac mini on hand, and thought we'd take a look at the machine and do a series of benchmarks to see how it fits into Apple's lineup. Subscribe to the MacRumors YouTube channel for more videos. Base model Mac mini machines come with either an M2 or M2 Pro...
Ventura Macs Feature Blue

Apple Releases macOS Ventura 13.2

Monday January 23, 2023 10:09 am PST by
Apple today released macOS Ventura 13.2, the second major update to the macOS Ventura operating system initially released in October. macOS Ventura 13.2 comes more than a month after macOS Ventura 13.1, an update that added the Freeform app and other changes. The ‌macOS Ventura‌ 13.2 update can be downloaded for free on all eligible Macs using the Software Update section of System...