NEWS
Safari Targeted in two More Exploits at the Pwn2Own Security Conference
2800
2018-03-16
Posted by 3uTools

As the annual Pwn2Own conference continues today, Safari remains a common target among security researchers. Following the exploits we reported on earlier today, day two of the conference brought more news for Apple…


First, according to results posted to the Trend Micro’s Zero Day Initiative website this evening, Georgi Geshev, Alex Plaskett, and Fabi Beterke of MWR Labs used two vulnerabilities to exploit Safari and ultimately escape the sandbox. This means the exploit theoretically would be able to access permissions beyond Safari.


The MWR Labs team ultimately earned $55,000 and 5 Master of Pwn points.


Safari Targeted in two More Exploits at the Pwn2Own Security Conference

MWR Labs – Alex Plaskett , Georgi Geshev , Fabi Beterke, targeting Apple Safari with a sandbox escape


Success: The team used two vulnerabilities to exploit Safari and escape the sandbox. They earned themselves $55,000 and 5 Master of Pwn points.


In a separate session, Nick Burnett, Markus Gaasedelen, and Patrick Biernat of Ret2 Systems targeted Safari with a macOS kernel elevation of privilege vulnerabilities. The team was ultimately unable to complete their exploit during their allotted time, though they did get it working after the fact.


Markus Gaasedelen, Nick Burnett, Patrick Biernat of Ret2 Systems, Inc. targeting Apple Safari with a macOS kernel EoP


Failure: The contestant could not get his exploit working within the time allotted.


The most important aspect of the Pwn2Own conference, which began is 2007, is that developers like Apple are notified of the exploits and have ample opportunity to patch what could otherwise be critical software flaws.


Source: 9to5mac

Related Articles
Researchers Uncover MacOS And Safari Exploits At Pwn2Own 2017