Two Zero-Day Vulnerabilities Discovered in Safari for Mac on Day One of Pwn2Own Hacking Contest

Discussion in 'Mac Blog Discussion' started by MacRumors, Mar 21, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    The 19th annual CanSecWest security conference is underway in Vancouver, Canada, including the annual Pwn2Own hacking contest, and two zero-day security vulnerabilities have so far been discovered in Safari on macOS.

    [​IMG]

    The contest kicked off on Wednesday with security researchers Amat Cama and Richard Zhu teaming up against Safari. The duo successfully exploited the browser and escaped the sandbox by using a combination of an integer overflow, heap overflow, and brute force technique, earning them $55,000.

    Later in the day, a trio of Niklas Baumstark, Luca Todesco, and Bruno Keith targeted Safari with a kernel elevation. They demonstrated a complete system compromise, but it was only a partial win since Apple supposedly already knew of one of the bugs used in the demo. They still netted $45,000.


    In total, participants were awarded $240,000 on day one of Pwn2Own. Day two of the contest is currently underway. All exploits discovered during the contest are reported to the necessary companies like Apple so they can be patched.

    Article Link: Two Zero-Day Vulnerabilities Discovered in Safari for Mac on Day One of Pwn2Own Hacking Contest
     
  2. M.PaulCezanne macrumors 6502a

    M.PaulCezanne

    Joined:
    Mar 5, 2014
    #2
    Seems like every other month some kid finds an exploit in Apple software. Yes - I know no software is perfect, but you’d think the world’s richest company could do better.

    At least hire these kids, good grief.
     
  3. miniyou64, Mar 21, 2019
    Last edited: Mar 22, 2019

    miniyou64 macrumors 6502a

    miniyou64

    Joined:
    Jul 8, 2008
    #3
    Why would you not remind readers what zero day means? Is everyone supposed to automatically know that?
     
  4. keysofanxiety macrumors G3

    keysofanxiety

    Joined:
    Nov 23, 2011
    #4
    You know these "kids" do this for a living and the entire purpose of the contest – the whole reason it's there – is to find vulnerabilities in software? Be that from Apple, Google, Microsoft, or applications like VMWare and VirtualBox...

    Also, they get paid for it. Quite a lot.

    Good grief indeed.
     
  5. bbednarz macrumors 65816

    bbednarz

    Joined:
    Nov 16, 2017
    Location:
    Chicago
    #5
    Every other month a kid finds flaws in Microsoft and others software too. It is the nature of it. The longer it is around the more exploits that will be found. It is impossible for them to release software that is unexploitable.
     
  6. Peepo macrumors 6502a

    Joined:
    Jun 18, 2009
    #6
    These are not kids. They probably make more money doing this instead of working for a company like Apple.
     
  7. 69Mustang macrumors 604

    69Mustang

    Joined:
    Jan 7, 2014
    Location:
    In between a rock and a hard place
    #7
    What these guys do - (intentionally hunting vulnerabilities) - and what that kid did regarding FaceTime - (accidentally stumbled upon a vulnerability) - are not the same thing. Most of them are already gainfully employed.
     
  8. Laird Knox macrumors 68000

    Joined:
    Jun 18, 2010
    #8
    In addition to what everybody already said above - these bugs that were found on day one of the competition were targeted at Apple, VM Ware, and Oracle. The $240,000 in awards was not just for flaws found in Apple software.

    It will be interesting to see what they find tomorrow with the Tesla.
     
  9. whoisyourdaddy Suspended

    Joined:
    Oct 2, 2018
    #9
    The video slays me with the editing as if the vulnerabilities were discovered and execution for using the flaw happens in mere minutes. Sure, after it's already been discovered days, weeks, or months in advance with ample practice. When will it get to this point for a "test".

     
  10. charlituna macrumors G3

    charlituna

    Joined:
    Jun 11, 2008
    Location:
    Los Angeles, CA
    #10
    but at least in the past they were using older versions of Apple's software, especially older versions of Safari, and the tricks they pulled couldn't be replicated in current versions.
    so I would be curious to see deets on what they were actually trying to hack

    also how many of these tricks could actually be performed IRL. can they remotely access my computer etc. or do they need access to my actual computer to target me.
     
  11. MauiPa macrumors 6502

    Joined:
    Apr 18, 2018
    #11
    Sounds like you want to read up on security flaws. Here is a website. https://thehackernews.com/?m=1 Mostly windows and android, winrar, Facebook, etc but also Mac and ios
     
  12. 69Mustang, Mar 21, 2019
    Last edited: Mar 21, 2019

    69Mustang macrumors 604

    69Mustang

    Joined:
    Jan 7, 2014
    Location:
    In between a rock and a hard place
    #12
    I don't think that's right. Afaik, Pwn2Own has always required the most up to date versions of software to be running on systems. Again, afaik. Also, these aren't really tricks. There are different categories of devices they're trying to defeat. One that may be relevant to your IRL query is the attempt against Tesla that's happening today.

    Direct info: https://www.thezdi.com/blog/2019/1/14/pwn2own-vancouver-2019-tesla-vmware-microsoft-and-more
     
  13. Analog Kid macrumors 601

    Analog Kid

    Joined:
    Mar 4, 2003
    #13
    I know the threat environment is changing, and the systems are getting more complex, and Apple is under more scrutiny than ever before, but it still feels like Apple's security cred is slipping.

    I appreciate all of the work they're doing on privacy, but in this world these kinds of attacks are the biggest threats to privacy. They really need to keep security as a top priority.

    Also: I appreciate the structure of this event. Hack like crazy and keep the companies in the loop.
     
  14. sha1sum macrumors newbie

    sha1sum

    Joined:
    Mar 21, 2019
    Location:
    St Petersburg, FL
    #14
    In my opinion these folks should get early opportunities for bounties during alpha instead of catching this stuff in production. Basically outsourced security QA. Would make me feel more comfortable about releases from major companies.
     
  15. Kabeyun macrumors 68020

    Kabeyun

    Joined:
    Mar 27, 2004
    Location:
    Eastern USA
    #15
    Wrong. These are good things. These contests, bug bounties, etc., are designed to help improve software that can’t be perfect. Anyone who knows anything about major software development, including the little I know, knows that.
     
  16. C DM macrumors Sandy Bridge

    Joined:
    Oct 17, 2011
    #16
    Is that not really the case for other large software companies? Google gets its share of exploits, so does Microsoft, so do pretty much all others.
     
  17. sha1sum macrumors newbie

    sha1sum

    Joined:
    Mar 21, 2019
    Location:
    St Petersburg, FL
    #17
    Seems like every month some kid finds some kid finding an exploit in some software and blames them as if they wrote the code. SO ANNOYING!
     
  18. Kabeyun macrumors 68020

    Kabeyun

    Joined:
    Mar 27, 2004
    Location:
    Eastern USA
    #18
    I didn’t see anyone blaming anyone but Apple for anything. But yeah, sure.
     
  19. halluxsinister macrumors regular

    halluxsinister

    Joined:
    Oct 17, 2017
    Location:
    Earth
    #19
    Is almost a quarter million dollars not a lot more expensive than properly testing code BEFORE it's released? This is getting embarrassing.


     
  20. killhippie macrumors 6502

    killhippie

    Joined:
    Jan 12, 2016
    Location:
    UK
    #20
    Embarrassing for whom? macOS and OSX has always been full of holes like swiss cheese, it mostly went under the radar due to security by obscurity, it cant really do that any more, but then again Safari still ship's with open safe files upon downloading...

    I install Firefox which I much prefer as a browser, with it set to block tracking cookies and tracking scripts, then use either UBlock Origin or Adblock Plus with easy Privacy added. Then I use a VPN feature in my router (use any VPN not in the 14 eye countries, I prefer Nord VPN just personal preference not a suggestion) then I set up what I want to go though the normal pathways or what services and apps I want to go though the VPNt, like my browser goes though a VPN but app store does not etc. same with TV gaming console, iPad iPhone etc and once again what apps or services I think should be hidden or need to be direct for better downloads or streaming or privacy, its a neat feature.

    I feel Safari really is playing catch up still with some of the other browsers out there, and it cant afford to do that, or take so long between updates. I would rather have more patches than leave holes waiting to get fixed until the new hardware drops, which is what it feels like right now. I'm sure the new iMacs will drop with 12.14.4 (maybe a special version) and the iPads with 12.2 already on them as they ramp up production, meaning they could probably have dropped this week for the rest of us, if those images are already on the new hardware waiting to ship.
     
  21. dmylrea macrumors 68030

    dmylrea

    Joined:
    Sep 27, 2005
    #21
    Google is your friend:

    "The term “zero-day” refers to a newly discovered software vulnerability. ... But the software vendor may fail to release a patch before hackers manage to exploit the security hole. That's known as a zero-dayattack." -- Norton.com
     
  22. C DM macrumors Sandy Bridge

    Joined:
    Oct 17, 2011
    #22
    It'a fairly basic reality.
     
  23. realtuner macrumors 65816

    realtuner

    Joined:
    Mar 8, 2019
    Location:
    Canada
    #23
    There seems to be some misconceptions about how these researchers work.

    They don't just set them down in front of a machine and say "you have 1 hour to break into Safari" and away they go. They aren't "on-demand" hackers who can break into anything on the spot.

    They would have spent months looking for vulnerabilities and testing exploits and kept them a secret until the conference. Then they'd demonstrate them (while being timed) and if they are able to replicate their exploit within the time frame they get the prize money.

    The idea that you can just hire a few people like this to work at Apple and they'll simply sit down and clear up any exploits in your software is ridiculous.
     
  24. miniyou64 macrumors 6502a

    miniyou64

    Joined:
    Jul 8, 2008
    #24
    I know what it is. But do average readers? The writer should have included what this means in the article.
     

Share This Page

23 March 21, 2019