Researchers Uncover macOS and Safari Exploits at Pwn2Own 2018 [Updated]

by

The eighteenth annual CanSecWest security conference is underway in downtown Vancouver, Canada, where researchers are competing in the 11th Pwn2Own computer hacking contest for over $2 million in prizes.

Day one results have already been published over at the Zero Day Initiative website, with a couple of successful Mac-related exploits already appearing in the list of achievements.

Image via Zero Day Initiative

Samuel Groß of phoenhex returned to Pwn2Own to successfully hack Apple's desktop Safari browser. Groß used a JIT optimization bug in Safari, a macOS logic bug, and a kernel overwrite to execute code to successfully exploit the browser, earning himself $65,000 and six points towards Master of Pwn. The exploit also caused a text-based message to appear on a MacBook Pro's Touch Bar.

The achievement harks back to Groß's similar success at last year's event, where he targeted Safari with an escalation to root on macOS that allowed him and Niklas Baumstark to scroll a message on a MacBook Pro Touch Bar, earning them $28,000.

Another Safari exploit at Pwn2Own 2018 was initiated by Richard Zhu, who managed to bypass iPhone 7 security protocols with the help of two Safari bugs at November's Pwn2Own mobile event. However, this time Zhu failed to get his exploit chain working within the allotted 30-minute time limit.

Richard Zhu at Pwn2Own 2018 (Image via ZDI)

Unfazed, Zhu returned to wow the crowd with a Microsoft Edge exploit that used two use-after-free (UAF) bugs in the browser and an integer overflow in the kernel to successfully run his code with elevated privileges. The dramatic effort against the ticking clock earned him $70,000 and seven points towards Master of Pwn.

Apple representatives have attended the Pwn2Own contest in the past, and affected parties are made aware of all security vulnerabilities discovered during the contest so that they can be patched in future software updates.

The participating teams earned a total of $162,000 in prizes on day one, and the event resulted in three Apple bugs, two Oracle bugs, and three Microsoft bugs. Pwn2Own day two begins today at 10:00 a.m. Pacific and will involve additional exploit attempts against macOS and Safari.

Update: On Pwn2Own Day 2, MWR Labs, a team consisting of Alex Plaskett, Georgi Geshev, and Fabi Beterke successfully used two Safari vulnerabilities to execute a sandbox escape. For the feat, they earned $55,000 and 5 Master of Pwn points.

In a separate attempt, Markus Gaasedelen, Nick Burnett, Patrick Biernat of Ret2 Systems, Inc. tried to target Safari using an elevation of privileges kernel exploit, but the team was unable to get the exploit working in the allotted time period.

Tag: Pwn2Own

Top Rated Comments

(View all)
Avatar
30 months ago
Excellent. Bug bounties are great for everyone.
Score: 11 Votes (Like | Disagree)
Avatar
30 months ago
If guys using a laptop in their bedrooms can hack a Mac & iPhone during their spare time, one can only wonder what the NSA is capable of
Score: 3 Votes (Like | Disagree)
Avatar
30 months ago
Nice payday.
Score: 3 Votes (Like | Disagree)
Avatar
30 months ago

If guys using a laptop in their bedrooms can hack a Mac & iPhone during their spare time, one can only wonder what the NSA is capable of

Afaik, they’re hiring the same guys with laptops in their bedrooms.
Score: 2 Votes (Like | Disagree)
Avatar
30 months ago
Hmph. And some macrumors members don’t understand the love for the TouchBar ;)

If guys using a laptop in their bedrooms can hack a Mac & iPhone during their spare time, one can only wonder what the NSA is capable of

One cannot understand why Apple doesn’t hire these people to work on Apple services and products. I really hope a Pawn team figures out and demonstrates a Siri hack and then Siri gets rapid advancement as a result.

Then again maybe their too busy having fun hacking Alexa:

Random creepy laughs,
Random answering questions or denying tasks in quite bedroom at 3AM,
Executing commands nobody in hearing range ever gave.

Yeah not in any need for a connected smart speaker. I already have insomnia I don’t need schizophrenia induced trauma to go along with it lol.
Score: 2 Votes (Like | Disagree)
Avatar
30 months ago

Give me one good reason why do they need contests when each of them can report their hacking individually and earn more?

This entire "contest" is an illusion. The exploits that they are showing are not discovered on the spot, they are the product of months of research and development. However this dramatic fashion of unveiling them gives the researchers fame and publicity, and forces the vendor to acknowledge and fix the vulnerabilities rather than privately kicking the can down the road for potentially a year at a time.
Score: 2 Votes (Like | Disagree)

Top Stories

Hands On With iPhone 12 Models Showing New Sizes and Design

Monday July 6, 2020 2:04 pm PDT by
Ahead of the launch of new iPhones we often see dummy models created based on leaked schematics and specifications, with those models designed to let case makers create cases for the new devices ahead of their release. We got our hands on a set of dummy models that represent the iPhone 12 lineup, giving us our first close look at the iPhone 4-style design and the different size options. Subscri ...

Everything New in iOS 14 Beta 2: New Calendar Icon, Files Widget and More

Tuesday July 7, 2020 11:38 am PDT by
Apple today released the second beta of iOS 14 to developers for testing purposes, tweaking and refining some of the features that are coming in the update. Below, we've rounded up all of the changes that we found in the second beta. - Calendar icon - There's a new Calendar app icon in iOS 14 beta 2, with the day of the week abbreviated rather than spelled out. - Clock icon - The clock...

iPhone 12 Sizes Compared with iPhone SE, 7, 8, SE 2, X, 11, 11 Pro and 11 Pro Max [Update]

Tuesday July 7, 2020 6:49 pm PDT by
Apple is planning on launching the iPhone 12 this fall which is rumored to be coming in 3 different sizes: 5.4", 6.1" and 6.7". The middle size (6.1") matches up with the currently shipping iPhone 11, but the other two sizes will be entirely new. Over the weekend, there was some excitement about how well the new 5.4" iPhone 12 compares to the original iPhone SE. Those who have been hoping...

Tom Hanks Discusses 'Heartbreaking' Shift of WWII Film Greyhound From Theatrical Blockbuster to Apple TV+ Exclusive

Monday July 6, 2020 7:53 am PDT by
Tom Hanks' WWII drama "Greyhound" is set to premiere on Apple TV+ this Friday, July 10, and ahead of that debut the actor gave an interview with The Guardian discussing the film. "Greyhound" was originally planned to see a theatrical release this summer, and was repeatedly delayed in the wake of the ongoing Covid-19 pandemic. Apple won the streaming rights to the film, and in the new...

Developer's Visual Comparison of macOS Catalina and Big Sur Offers Closer Look at Apple's UI Redesign for Macs

Tuesday July 7, 2020 4:00 am PDT by
macOS 11 Big Sur is the next major release of Apple's operating system for Mac, and following its preview at WWDC, one of the biggest discussions has revolved around the all-new user interface redesign. Developers are still learning what the impact the new UI will have on their apps, and with that in mind, app designer Andrew Denty has compiled an extensive visual comparison of the user...

5.4-Inch iPhone 12 Model Size Compared to Original iPhone SE and iPhone 7

Saturday July 4, 2020 9:44 pm PDT by
iPhone 12 dummy models based on leaked schematics have been starting to circulate online and in online marketplaces. Not happy with the circulating size comparisons between the rumored 5.4" iPhone 12 and the original iPhone SE models, MacRumors forum user iZac took matters into his own hands and purchased his own 5.4" dummy model to provide more detailed size comparisons between the original...

Shipping Estimates for 27-Inch iMac Continue to Slip, Now Into September

Monday July 6, 2020 6:55 am PDT by
Amid rumors and hints of a forthcoming update for the iMac, supplies of Apple's current 27-inch iMac continue to dwindle with mid- and high-end stock configurations now seeing shipping estimates pushed back into September. The 27-inch iMac has seen tight supplies and extended shipping estimates for months now, but the situation has been gradually worsening to the point where new buyers can...

Apple Cuts iPhone Trade-In Values as iPhone 12 Launch Nears

Tuesday July 7, 2020 7:46 am PDT by
With just two months to go until the usual timeframe for Apple's iPhone launch events, Apple is cutting back on maximum trade-in values of previous-generation iPhones for those looking to upgrade to a new model. Maximum values on more recent models have dropped by $30–$50, while older models have generally dropped by $5–$20 with a few models seeing no change in value.iPhone XS Max: $500 to...

Analyst Believes iPhone 12 Pricing Will Start $50 Higher Even Without EarPods or Charger in Box

Wednesday July 8, 2020 9:35 am PDT by
Despite multiple reports indicating that Apple will not include EarPods or a wall charger with iPhone 12 models this year, one analyst believes that pricing will still increase slightly compared to the iPhone 11 lineup. In a research note provided to MacRumors, analyst Jeff Pu forecasted that iPhone 12 pricing will start at $749 for a new 5.4-inch model, an increase of $50 over the base...

14-Inch MacBook Pro With Mini-LED Display Expected to Enter Production in 2021

Wednesday July 8, 2020 7:51 am PDT by
Apple suppliers will begin competing to win manufacturing orders for new 14-inch and 16-inch MacBook Pro models with Mini-LED displays in the first quarter of 2021, according to Taiwanese research firm TrendForce. Rumors of a 14-inch MacBook Pro have surfaced since Apple replaced the 15-inch MacBook Pro with a new 16-inch model last year. Apple analyst Ming-Chi Kuo has previously said that...