Researchers Uncover Multiple OS X and Safari Exploits at Pwn2Own 2016

Discussion in 'Mac Blog Discussion' started by MacRumors, Mar 17, 2016.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    The sixteenth annual CanSecWest security conference is underway in downtown Vancouver, British Columbia, and researchers participating in the Pwn2Own computer hacking contest have already discovered multiple vulnerabilities in OS X and the Safari web browser on the desktop.

    [​IMG]

    On day one of the event, independent security researcher JungHoon Lee earned $60,000 after exploiting both OS X and Safari. Lee uncovered four vulnerabilities in total, including one exploit in Safari and three other vulnerabilities within the OS X operating system, according to security firm Trend Micro.
    Meanwhile, the report claims that the Tencent Security Team Shield group successfully executed code that enabled them to gain root privileges to Safari using "two use-after-free vulnerabilities," including one in Safari and the other in a "privileged process." The researchers were awarded $40,000 in prize money.

    The five participating teams earned a total of $282,500 in prizes on day one, including a leading $132,500 earned by the 360Vulcan Team, according to the report. Other web browsers and plugins that were successfully targeted include Adobe Flash, Google Chrome, and Microsoft Edge on Windows.


    Apple representatives have attended Pwn2Own in the past, and affected parties are made aware of all security vulnerabilities discovered during the contest in order to patch them. Pwn2Own day two began today at 9:00 a.m. Pacific and will involve additional exploit attempts against OS X and Safari.

    Article Link: Researchers Uncover Multiple OS X and Safari Exploits at Pwn2Own 2016
     
  2. zorinlynx macrumors 68040

    zorinlynx

    Joined:
    May 31, 2007
    Location:
    Florida, USA
    #2
    This is a reminder of the reason why, even though you have a Mac, you should be careful about browsing shady websites.

    Every system is exploitable, even one with a good track record like OS X. Be careful where you browse. Stay up to date on updates. This is also why I'm angered by websites that force you to turn off ad blockers; ad networks are the #1 source of malware there is.
     
  3. 'Dorian macrumors member

    'Dorian

    Joined:
    Aug 30, 2014
    Location:
    Where it's warm
    #3
    Ad blockers like Adblock still allow non-intrusive and non-malicious ads. If a website makes you turn off Adblock, you might have to wonder why.

    I wonder if Apple could use this in their FBI case. "Um guys... you want us to create a back door, there's contests that reward people for breaking the code. Imagine if they KNEW there was a back door and they just needed to find it."
     
  4. jdillings macrumors 6502a

    Joined:
    Jun 21, 2015
    #4
    $60,000 for one day's work....I think I need to change jobs.
     
  5. thederby macrumors regular

    Joined:
    Jun 22, 2007
    Location:
    Austin, TX
    #5
    this is more than one day's work.
     
  6. lowendlinux Contributor

    lowendlinux

    Joined:
    Sep 24, 2014
    Location:
    ~
  7. Sasparilla macrumors 6502

    Joined:
    Jul 6, 2012
    #7
    Keep finding the holes and closing them guys. It's alot better that these issues are exposed and fixed than bought up and kept private (without the developers knowing).
     
  8. Lettershort macrumors newbie

    Lettershort

    Joined:
    Mar 17, 2016
    #8
    While researchers tried to compromise Edge, the Edge attack was not successful (both the video and the linked article say as much: "Tencent Xuanwu Lab: Adobe Flash in Microsoft Edge: This attempt failed."). So it isn't accurate to say that it was successfully targeted.
     
  9. diddl14 macrumors 6502a

    diddl14

    Joined:
    Aug 10, 2009
    #9
    What a surprise..
     
  10. Amacfa macrumors 6502a

    Amacfa

    Joined:
    May 22, 2009
    Location:
    D.C.
    #10
    That's what Siri said
     
  11. oneMadRssn macrumors 68030

    oneMadRssn

    Joined:
    Sep 8, 2011
    Location:
    Boston, MA
    #11
    Is the fact this story has a screenshot of the MacRumors homepage meant to imply that MacRumors is using this exploit to gain root access to our computers?
     
  12. Traverse macrumors 603

    Traverse

    Joined:
    Mar 11, 2013
    Location:
    Here
    #12
    Hmmm, at least it was at Pwn2own and not some shady group.

    I'd like to know more details about the hacks, although that is a violation.
     
  13. Cuban Missles macrumors 68040

    Cuban Missles

  14. MrGuder macrumors 65816

    MrGuder

    Joined:
    Nov 30, 2012
    #14
    This is why I don't understand why Apple has allowed content blockers (apps from the App Store) to help remove ads while using safari on the iPhones but hasn't allowed the same content blockers on OS X safari.
     
  15. glindon macrumors member

    glindon

    Joined:
    Jun 9, 2014
    Location:
    Phoenix
    #15
    They have the same content blocker system on OS X. I'm using one now.
     
  16. You are the One macrumors 6502

    You are the One

    Joined:
    Dec 25, 2014
    Location:
    In the present
  17. LovingTeddy macrumors 6502a

    LovingTeddy

    Joined:
    Oct 12, 2015
    Location:
    Canada
    #17
    Wait... I though OS X is invincible and perfectly secure... According to people in this forum... The only reason they switch to Apple is Windows and Android is not secure enough... Guess they need find third platform now...
     
  18. Goatllama macrumors 6502

    Goatllama

    Joined:
    Jun 24, 2015
    Location:
    Mountaintop Lair
    #18
    "Attempts to compromise Adobe Flash player were confounded when its doors were found to be completely open..." ;)
     
  19. MrGuder macrumors 65816

    MrGuder

    Joined:
    Nov 30, 2012
    #19
    I use purify for my iPhone but can't for OS X
     
  20. timeconsumer macrumors 6502a

    timeconsumer

    Joined:
    Aug 1, 2008
    Location:
    PNW
    #20
    I don't think it's "invincible and perfectly secure" but I think due to having less market share that it's a safer option. I think most malicious content will be targeted to the masses which would be Windows and Android as they have more users overall.
     
  21. T Coma macrumors member

    T Coma

    Joined:
    Dec 3, 2015
    Location:
    People's Republic of Chicago
    #21
    And 10 Master of Pwn points!!!
     
  22. navaira macrumors 68030

    navaira

    Joined:
    May 28, 2015
    Location:
    Amsterdam, Netherlands
    #22
    I'm very tempted to say something trollish about how SIP was supposed to make us so safe that we couldn't even do stuff as root ourselves.
     
  23. jonnysods macrumors 601

    jonnysods

    Joined:
    Sep 20, 2006
    Location:
    There & Back Again
    #23
    I'm actually really thankful that there are events like this. Helps us have a safer and more secure computing experience.
     
  24. Amazing Iceman macrumors 68040

    Amazing Iceman

    Joined:
    Nov 8, 2008
    Location:
    Florida, U.S.A.
    #24
    In this second decade of the 21st Century, 'Researcher' is the new legal term for 'Hacker'. :D
    --- Post Merged, Mar 17, 2016 ---
    Yeah, you get no prize money for finding vulnerabilities in Flash!!! :D
     
  25. macs4nw macrumors 68040

    macs4nw

    #25
    Good work guys. The ball is in Apple's court. Patch those vullies now!
     

Share This Page