The 19th annual CanSecWest security conference is underway in Vancouver, Canada, including the annual Pwn2Own hacking contest, and two zero-day security vulnerabilities have so far been discovered in Safari on macOS.
/article-new/2019/03/pwn2own-cama-zhu.jpg?lossy)
The contest kicked off on Wednesday with security researchers Amat Cama and Richard Zhu teaming up against Safari. The duo successfully exploited the browser and escaped the sandbox by using a combination of an integer overflow, heap overflow, and brute force technique, earning them $55,000.
Later in the day, a trio of Niklas Baumstark, Luca Todesco, and Bruno Keith targeted Safari with a kernel elevation. They demonstrated a complete system compromise, but it was only a partial win since Apple supposedly already knew of one of the bugs used in the demo. They still netted $45,000.
In total, participants were awarded $240,000 on day one of Pwn2Own. Day two of the contest is currently underway. All exploits discovered during the contest are reported to the necessary companies like Apple so they can be patched.
Top Rated Comments
(View all)Seems like every other month some kid finds an exploit in Apple software. Yes - I know no software is perfect, but you’d think the world’s richest company could do better.
You know these "kids" do this for a living and the entire purpose of the contest – the whole reason it's there – is to find vulnerabilities in software? Be that from Apple, Google, Microsoft, or applications like VMWare and VirtualBox...At least hire these kids, good grief.
Also, they get paid for it. Quite a lot.
Good grief indeed.
At least hire these kids, good grief.
Seems like every other month some kid finds an exploit in Apple software. Yes - I know no software is perfect, but you’d think the world’s richest company could do better.
These are not kids. They probably make more money doing this instead of working for a company like Apple.At least hire these kids, good grief.
Seems like every other month some kid finds an exploit in Apple software. Yes - I know no software is perfect, but you’d think the world’s richest company could do better.
What these guys do - (intentionally hunting vulnerabilities) - and what that kid did regarding FaceTime - (accidentally stumbled upon a vulnerability) - are not the same thing. Most of them are already gainfully employed.At least hire these kids, good grief.
but at least in the past they were using older versions of Apple's software, especially older versions of Safari, and the tricks they pulled couldn't be replicated in current versions.
I don't think that's right. Afaik, Pwn2Own has always required the most up to date versions of software to be running on systems. Again, afaik. Also, these aren't really tricks. There are different categories of devices they're trying to defeat. One that may be relevant to your IRL query is the attempt against Tesla that's happening today.so I would be curious to see deets on what they were actually trying to hack
also how many of these tricks could actually be performed IRL. can they remotely access my computer etc. or do they need access to my actual computer to target me.
Direct info: https://www.thezdi.com/blog/2019/1/14/pwn2own-vancouver-2019-tesla-vmware-microsoft-and-more
I appreciate all of the work they're doing on privacy, but in this world these kinds of attacks are the biggest threats to privacy. They really need to keep security as a top priority.
Also: I appreciate the structure of this event. Hack like crazy and keep the companies in the loop.