Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Researchers Uncover Multiple OS X and Safari Exploits at Pwn2Own 2016

MacRumors

macrumors bot
Original poster
Apr 12, 2001
51,521
13,154



The sixteenth annual CanSecWest security conference is underway in downtown Vancouver, British Columbia, and researchers participating in the Pwn2Own computer hacking contest have already discovered multiple vulnerabilities in OS X and the Safari web browser on the desktop.


On day one of the event, independent security researcher JungHoon Lee earned $60,000 after exploiting both OS X and Safari. Lee uncovered four vulnerabilities in total, including one exploit in Safari and three other vulnerabilities within the OS X operating system, according to security firm Trend Micro.
JungHoon Lee (lokihardt): Demonstrated a successful code execution attack against Apple Safari to gain root privileges. The attack consisted of four new vulnerabilities: a use-after-free vulnerability in Safari and three additional vulnerabilities, including a heap overflow to escalate to root. This demonstration earned 10 Master of Pwn points and US$60,000.
Meanwhile, the report claims that the Tencent Security Team Shield group successfully executed code that enabled them to gain root privileges to Safari using "two use-after-free vulnerabilities," including one in Safari and the other in a "privileged process." The researchers were awarded $40,000 in prize money.

The five participating teams earned a total of $282,500 in prizes on day one, including a leading $132,500 earned by the 360Vulcan Team, according to the report. Other web browsers and plugins that were successfully targeted include Adobe Flash, Google Chrome, and Microsoft Edge on Windows.


Apple representatives have attended Pwn2Own in the past, and affected parties are made aware of all security vulnerabilities discovered during the contest in order to patch them. Pwn2Own day two began today at 9:00 a.m. Pacific and will involve additional exploit attempts against OS X and Safari.

Article Link: Researchers Uncover Multiple OS X and Safari Exploits at Pwn2Own 2016
 
  • Like
Reactions: 997440

zorinlynx

macrumors 603
May 31, 2007
6,398
10,163
Florida, USA
This is a reminder of the reason why, even though you have a Mac, you should be careful about browsing shady websites.

Every system is exploitable, even one with a good track record like OS X. Be careful where you browse. Stay up to date on updates. This is also why I'm angered by websites that force you to turn off ad blockers; ad networks are the #1 source of malware there is.
 
Comment

'Dorian

macrumors member
Aug 30, 2014
84
65
Where it's warm
This is a reminder of the reason why, even though you have a Mac, you should be careful about browsing shady websites.

Every system is exploitable, even one with a good track record like OS X. Be careful where you browse. Stay up to date on updates. This is also why I'm angered by websites that force you to turn off ad blockers; ad networks are the #1 source of malware there is.

Ad blockers like Adblock still allow non-intrusive and non-malicious ads. If a website makes you turn off Adblock, you might have to wonder why.

I wonder if Apple could use this in their FBI case. "Um guys... you want us to create a back door, there's contests that reward people for breaking the code. Imagine if they KNEW there was a back door and they just needed to find it."
 
Comment

Lettershort

macrumors newbie
Mar 17, 2016
1
4
Other web browsers and plugins that were successfully targeted include Adobe Flash, Google Chrome, and Microsoft Edge on Windows.

While researchers tried to compromise Edge, the Edge attack was not successful (both the video and the linked article say as much: "Tencent Xuanwu Lab: Adobe Flash in Microsoft Edge: This attempt failed."). So it isn't accurate to say that it was successfully targeted.
 
Comment

oneMadRssn

macrumors 603
Sep 8, 2011
5,426
12,579
Europe
Is the fact this story has a screenshot of the MacRumors homepage meant to imply that MacRumors is using this exploit to gain root access to our computers?
 
Comment

Traverse

macrumors 604
Mar 11, 2013
7,067
3,400
Here
Hmmm, at least it was at Pwn2own and not some shady group.

I'd like to know more details about the hacks, although that is a violation.
 
  • Like
Reactions: You are the One
Comment

MrGuder

macrumors 68030
Nov 30, 2012
2,927
1,938
This is a reminder of the reason why, even though you have a Mac, you should be careful about browsing shady websites.

Every system is exploitable, even one with a good track record like OS X. Be careful where you browse. Stay up to date on updates. This is also why I'm angered by websites that force you to turn off ad blockers; ad networks are the #1 source of malware there is.
This is why I don't understand why Apple has allowed content blockers (apps from the App Store) to help remove ads while using safari on the iPhones but hasn't allowed the same content blockers on OS X safari.
 
Comment

glindon

macrumors 6502
Jun 9, 2014
379
666
Phoenix
This is why I don't understand why Apple has allowed content blockers (apps from the App Store) to help remove ads while using safari on the iPhones but hasn't allowed the same content blockers on OS X safari.
They have the same content blocker system on OS X. I'm using one now.
 
  • Like
Reactions: name99 and flowsy
Comment

LovingTeddy

Suspended
Oct 12, 2015
1,848
2,148
Canada
Wait... I though OS X is invincible and perfectly secure... According to people in this forum... The only reason they switch to Apple is Windows and Android is not secure enough... Guess they need find third platform now...
 
  • Like
Reactions: beachmusic
Comment

timeconsumer

macrumors 68000
Aug 1, 2008
1,847
1,580
Portland
Wait... I though OS X is invincible and perfectly secure... According to people in this forum... The only reason they switch to Apple is Windows and Android is not secure enough... Guess they need find third platform now...
I don't think it's "invincible and perfectly secure" but I think due to having less market share that it's a safer option. I think most malicious content will be targeted to the masses which would be Windows and Android as they have more users overall.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.