Safari Falls Again as Hackers Continue to Target Apple’s Browser [Firefox Goes Down Too]


The Pwn2Own contest continued today and Safari remained the hot target like yesterday. After successfully exploiting Safari using the trio of JIT optimization bug, a kernel overwrite, and a macOS logic bug to escape Sandbox and execute code with a kernel extension, Safari was broken again today.

Two hacking groups had their eyes on exploiting Apple Safari today:

Attackers Are Exploiting an Apple iTunes Zero-Day Bug to Install Ransomware on Windows Machines

  1. Markus Gaasedelen, Nick Burnett, Patrick Biernat of Ret2 Systems tried to target Apple Safari with a macOS kernel EoP. However, the team failed to get this exploit working within the time allotted.
  2. MWR Labs, Alex Plaskett (AlaxJPlaskett), Georgi Geshev (munmap), and Fabi Beterke (pwnfl4k3s) were to target Apple Safari with a sandbox escape and managed to do so!

In the second attempt, which was successful, researchers used two vulnerabilities (a heap buffer underflow in the browser and an uninitialized stack variable in macOS) to exploit Safari and escape the sandbox, earning themselves $55,000.

It should be noted that the first team also managed to get the exploit working, however, it took them four attempts as opposed to three allowed tries. "Bugs were purchased & disclosed to Apple through our normal process," the Zero Day Initiative said.

Safari remains a common target among researchers, but not the only one

Apple Safari may be a popular hit, but it's not the only browser that was successfully exploited at the event.

After a successful attack on Microsoft Edge yesterday, today's contest saw Firefox falling, as well. Richard Zhu (fluorescence) who has become a star of the event after a successful and quite dramatic run yesterday where he had to debug his exploit after it didn't work, right there in front of the crowd, made $70,000 in rewards. Today, he successfully targeted Mozilla Firefox with a Windows kernel EoP.

Apple Introduces Activation Lock for Macs & Read-Only System Volume for Better Security with macOS Catalina 10.15

Without falling for any drama today, he managed to exploit Firefox on his first attempt. Using an Out-of-Bounds (OOB) write in the browser followed by an integer overflow in the Windows kernel, ZDI reported that he managed to earn himself another $50,000. In total, Zhu made $120,000 in this two-day event. He was also given the title of Master of Pwn.

Trend Micro said in total it "awarded $267,000 over the two-day contest while acquiring five Apple bugs, four Microsoft bugs, two Oracle bugs, and one Mozilla bug."

Apart from their cash winnings, researchers also get to keep the laptops they exploited. "They pwned it; they get to own it," appears to be ZDI's mantra. Pwn2Own annual contest is quite popular in the industry as it brings security researchers and companies together, incentivizing hackers to responsibly disclose exploits with bug rewards.

- Here are a few images of the event courtesy of Trend Micro: