Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
55,425
17,773



The 19th annual CanSecWest security conference is underway in Vancouver, Canada, including the annual Pwn2Own hacking contest, and two zero-day security vulnerabilities have so far been discovered in Safari on macOS.

pwn2own-cama-zhu.jpg

The contest kicked off on Wednesday with security researchers Amat Cama and Richard Zhu teaming up against Safari. The duo successfully exploited the browser and escaped the sandbox by using a combination of an integer overflow, heap overflow, and brute force technique, earning them $55,000.

Later in the day, a trio of Niklas Baumstark, Luca Todesco, and Bruno Keith targeted Safari with a kernel elevation. They demonstrated a complete system compromise, but it was only a partial win since Apple supposedly already knew of one of the bugs used in the demo. They still netted $45,000.


In total, participants were awarded $240,000 on day one of Pwn2Own. Day two of the contest is currently underway. All exploits discovered during the contest are reported to the necessary companies like Apple so they can be patched.

Article Link: Two Zero-Day Vulnerabilities Discovered in Safari for Mac on Day One of Pwn2Own Hacking Contest
 
  • Like
Reactions: abrantes09

miniyou64

macrumors 6502a
Jul 8, 2008
706
2,623
Why would you not remind readers what zero day means? Is everyone supposed to automatically know that?
 
Last edited:

keysofanxiety

macrumors G3
Nov 23, 2011
9,534
25,293
Seems like every other month some kid finds an exploit in Apple software. Yes - I know no software is perfect, but you’d think the world’s richest company could do better.

At least hire these kids, good grief.

You know these "kids" do this for a living and the entire purpose of the contest – the whole reason it's there – is to find vulnerabilities in software? Be that from Apple, Google, Microsoft, or applications like VMWare and VirtualBox...

Also, they get paid for it. Quite a lot.

Good grief indeed.
 

bbednarz

macrumors 65816
Nov 16, 2017
1,367
3,423
Chicago
Seems like every other month some kid finds an exploit in Apple software. Yes - I know no software is perfect, but you’d think the world’s richest company could do better.

At least hire these kids, good grief.
Every other month a kid finds flaws in Microsoft and others software too. It is the nature of it. The longer it is around the more exploits that will be found. It is impossible for them to release software that is unexploitable.
 
  • Like
Reactions: MauiPa

69Mustang

macrumors 604
Jan 7, 2014
7,874
15,011
In between a rock and a hard place
Seems like every other month some kid finds an exploit in Apple software. Yes - I know no software is perfect, but you’d think the world’s richest company could do better.

At least hire these kids, good grief.
What these guys do - (intentionally hunting vulnerabilities) - and what that kid did regarding FaceTime - (accidentally stumbled upon a vulnerability) - are not the same thing. Most of them are already gainfully employed.
 

Laird Knox

macrumors 68000
Jun 18, 2010
1,930
1,272
In addition to what everybody already said above - these bugs that were found on day one of the competition were targeted at Apple, VM Ware, and Oracle. The $240,000 in awards was not just for flaws found in Apple software.

It will be interesting to see what they find tomorrow with the Tesla.
 

whoisyourdaddy

Suspended
Oct 2, 2018
217
84
The video slays me with the editing as if the vulnerabilities were discovered and execution for using the flaw happens in mere minutes. Sure, after it's already been discovered days, weeks, or months in advance with ample practice. When will it get to this point for a "test".

 
  • Like
Reactions: mw360

charlituna

macrumors G3
Jun 11, 2008
9,636
815
Los Angeles, CA
You know these "kids" do this for a living and the entire purpose of the contest – the whole reason it's there – is to find vulnerabilities in software?
but at least in the past they were using older versions of Apple's software, especially older versions of Safari, and the tricks they pulled couldn't be replicated in current versions.
so I would be curious to see deets on what they were actually trying to hack

also how many of these tricks could actually be performed IRL. can they remotely access my computer etc. or do they need access to my actual computer to target me.
 

MauiPa

macrumors 68030
Apr 18, 2018
2,612
3,687
but at least in the past they were using older versions of Apple's software, especially older versions of Safari, and the tricks they pulled couldn't be replicated in current versions.
so I would be curious to see deets on what they were actually trying to hack

also how many of these tricks could actually be performed IRL. can they remotely access my computer etc. or do they need access to my actual computer to target me.

Sounds like you want to read up on security flaws. Here is a website. https://thehackernews.com/?m=1 Mostly windows and android, winrar, Facebook, etc but also Mac and ios
 

69Mustang

macrumors 604
Jan 7, 2014
7,874
15,011
In between a rock and a hard place
but at least in the past they were using older versions of Apple's software, especially older versions of Safari, and the tricks they pulled couldn't be replicated in current versions.
so I would be curious to see deets on what they were actually trying to hack

also how many of these tricks could actually be performed IRL. can they remotely access my computer etc. or do they need access to my actual computer to target me.
I don't think that's right. Afaik, Pwn2Own has always required the most up to date versions of software to be running on systems. Again, afaik. Also, these aren't really tricks. There are different categories of devices they're trying to defeat. One that may be relevant to your IRL query is the attempt against Tesla that's happening today.

Direct info: https://www.thezdi.com/blog/2019/1/14/pwn2own-vancouver-2019-tesla-vmware-microsoft-and-more
 
Last edited:

Analog Kid

macrumors 604
Mar 4, 2003
6,512
6,147
I know the threat environment is changing, and the systems are getting more complex, and Apple is under more scrutiny than ever before, but it still feels like Apple's security cred is slipping.

I appreciate all of the work they're doing on privacy, but in this world these kinds of attacks are the biggest threats to privacy. They really need to keep security as a top priority.

Also: I appreciate the structure of this event. Hack like crazy and keep the companies in the loop.
 
  • Like
Reactions: rjohnstone

sha1sum

macrumors newbie
Mar 21, 2019
2
1
St Petersburg, FL
What these guys do - (intentionally hunting vulnerabilities) - and what that kid did regarding FaceTime - (accidentally stumbled upon a vulnerability) - are not the same thing. Most of them are already gainfully employed.

In my opinion these folks should get early opportunities for bounties during alpha instead of catching this stuff in production. Basically outsourced security QA. Would make me feel more comfortable about releases from major companies.
 

Kabeyun

macrumors 68040
Mar 27, 2004
3,200
5,997
Eastern USA
Seems like every other month some kid finds an exploit in Apple software. Yes - I know no software is perfect, but you’d think the world’s richest company could do better.

At least hire these kids, good grief.
Wrong. These are good things. These contests, bug bounties, etc., are designed to help improve software that can’t be perfect. Anyone who knows anything about major software development, including the little I know, knows that.
 

C DM

macrumors Sandy Bridge
Oct 17, 2011
51,388
19,452
Seems like every other month some kid finds an exploit in Apple software. Yes - I know no software is perfect, but you’d think the world’s richest company could do better.

At least hire these kids, good grief.
Is that not really the case for other large software companies? Google gets its share of exploits, so does Microsoft, so do pretty much all others.
 

sha1sum

macrumors newbie
Mar 21, 2019
2
1
St Petersburg, FL
Wrong. These are good things. These contests, bug bounties, etc., are designed to help improve software that can’t be perfect. Anyone who knows anything about major software development, including the little I know, knows that.

Seems like every month some kid finds some kid finding an exploit in some software and blames them as if they wrote the code. SO ANNOYING!
 
  • Like
Reactions: farkingdom

halluxsinister

macrumors regular
Oct 17, 2017
185
195
Is almost a quarter million dollars not a lot more expensive than properly testing code BEFORE it's released? This is getting embarrassing.





The 19th annual CanSecWest security conference is underway in Vancouver, Canada, including the annual Pwn2Own hacking contest, and two zero-day security vulnerabilities have so far been discovered in Safari on macOS.

pwn2own-cama-zhu.jpg

The contest kicked off on Wednesday with security researchers Amat Cama and Richard Zhu teaming up against Safari. The duo successfully exploited the browser and escaped the sandbox by using a combination of an integer overflow, heap overflow, and brute force technique, earning them $55,000.

Later in the day, a trio of Niklas Baumstark, Luca Todesco, and Bruno Keith targeted Safari with a kernel elevation. They demonstrated a complete system compromise, but it was only a partial win since Apple supposedly already knew of one of the bugs used in the demo. They still netted $45,000.


In total, participants were awarded $240,000 on day one of Pwn2Own. Day two of the contest is currently underway. All exploits discovered during the contest are reported to the necessary companies like Apple so they can be patched.

Article Link: Two Zero-Day Vulnerabilities Discovered in Safari for Mac on Day One of Pwn2Own Hacking Contest
 

killhippie

macrumors 6502
Jan 12, 2016
446
381
UK
Is almost a quarter million dollars not a lot more expensive than properly testing code BEFORE it's released? This is getting embarrassing.
Embarrassing for whom? macOS and OSX has always been full of holes like swiss cheese, it mostly went under the radar due to security by obscurity, it cant really do that any more, but then again Safari still ship's with open safe files upon downloading...

I install Firefox which I much prefer as a browser, with it set to block tracking cookies and tracking scripts, then use either UBlock Origin or Adblock Plus with easy Privacy added. Then I use a VPN feature in my router (use any VPN not in the 14 eye countries, I prefer Nord VPN just personal preference not a suggestion) then I set up what I want to go though the normal pathways or what services and apps I want to go though the VPNt, like my browser goes though a VPN but app store does not etc. same with TV gaming console, iPad iPhone etc and once again what apps or services I think should be hidden or need to be direct for better downloads or streaming or privacy, its a neat feature.

I feel Safari really is playing catch up still with some of the other browsers out there, and it cant afford to do that, or take so long between updates. I would rather have more patches than leave holes waiting to get fixed until the new hardware drops, which is what it feels like right now. I'm sure the new iMacs will drop with 12.14.4 (maybe a special version) and the iPads with 12.2 already on them as they ramp up production, meaning they could probably have dropped this week for the rest of us, if those images are already on the new hardware waiting to ship.
 

dmylrea

macrumors 68040
Sep 27, 2005
3,692
4,897
Why would you not remind readers what zero day means? Is everyone supposed to automatically know that?

Google is your friend:

"The term “zero-day” refers to a newly discovered software vulnerability. ... But the software vendor may fail to release a patch before hackers manage to exploit the security hole. That's known as a zero-dayattack." -- Norton.com
 

realtuner

Suspended
Mar 8, 2019
1,714
5,053
Canada
There seems to be some misconceptions about how these researchers work.

They don't just set them down in front of a machine and say "you have 1 hour to break into Safari" and away they go. They aren't "on-demand" hackers who can break into anything on the spot.

They would have spent months looking for vulnerabilities and testing exploits and kept them a secret until the conference. Then they'd demonstrate them (while being timed) and if they are able to replicate their exploit within the time frame they get the prize money.

The idea that you can just hire a few people like this to work at Apple and they'll simply sit down and clear up any exploits in your software is ridiculous.
 
  • Like
Reactions: mw360

miniyou64

macrumors 6502a
Jul 8, 2008
706
2,623
Google is your friend:

"The term “zero-day” refers to a newly discovered software vulnerability. ... But the software vendor may fail to release a patch before hackers manage to exploit the security hole. That's known as a zero-dayattack." -- Norton.com

I know what it is. But do average readers? The writer should have included what this means in the article.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.