Hackers Manage to Get Root Access on macOS – Two Safari Security Flaws Reported


The annual Pwn2own conference is underway and that means we are going to be seeing some interesting - and critical - security vulnerabilities. Since Apple attracts most of the security researchers' efforts (three of the ten attempts targeted Safari security on day one), we will be talking about the two zero-day vulnerabilities affecting Apple's Safari browser that were showcased at the annual security conference.

Two zero-day Safari security vulnerabilities reported by hackers

With over $1 million in prizes, you can be sure that this conference attracts the best talent from around the world. The Zero Day Initiative has now posted the results of yesterday, confirming two Safari security vulnerabilities.

Safari Falls Again as Hackers Continue to Target Apple’s Browser [Firefox Goes Down Too]

Day one of the conference managed to get two independent hackers $28,000 after they successfully demonstrated attacks on Safari using a use-after-free (UAF) in the browser combined with three logic bugs. Independent hackers Groß and Baumstark targeted Safari with a flaw that allowed them to scroll a message on a MacBook Pro Touch Bar.

In a partial win, Samuel Groß (@5aelo) and Niklas Baumstark (@_niklasb) earn some style points by leaving a special message on the touch bar of the Mac. They used a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate to root in macOS. They still managed to earn $28,000 USD and 9 Master of Pwn points.

Following this, Chaitin Security Research Lab also targeted Safari using a total of six bugs in their exploit chain, winning a prize of $35,000.

The Chaitin Security Research Lab (@ChaitinTech) successfuly exploited Apple Safari to gain root access on macOS by using a total of six bugs in their exploit chain including an info disclosure in Safari, four different type confusions bugs in the browser, and an a UAF in WindowServer. This earned the team $35,000 and 11 points towards Master of Pwn.

Details of these flaws haven't been shared since Apple will first patch up these vulnerabilities before details are made available to the public.

Overall, the participating teams earned a total of $233,000 in prizes on day one. Apart from Safari, researchers found flaws in Microsoft Edge (which helped Tencent Security earn a massive $80,000), Ubuntu Desktop and Adobe Reader.