Two Critical Zero-Day Safari Vulnerabilities Exposed at Pwn2Own in Vancouver

Apple’s Safari web browser was one of the products hacked on the first day of the Pwn2Own 2019 hacking competition.

According to a new press release from the Zero Day Initiative, Apple’s Safari web browser and the Oracle VirtualBox and VMware Workstation virtualization products were hacked on the first day of Pwn2Own 2019, earning researchers a total of $240,000 USD in cash.

A team known as “phoenhex& qwerty” demonstrated a Safari vulnerability: “By browsing to their website, they triggered a JIT bug followed by a heap out-of-bounds (OOB) read – used twice – then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug,” reads the report. Although Apple is apparently aware of one of the bugs used, the team nevertheless took home $45,000 USD for their efforts.

Another team, known as “Fluoroacetate,” found a way of escaping the macOS sandboxing via a Safari integer overflow and a heap overflow. “The attempt nearly took the entire allowed time because they used a brute force technique during the sandbox escape,” explains the report. “The code would fail then try again until it succeeded. The demonstration earned them $55,000 USD and 5 points towards Master of Pwn.”

Along with cash prizes, teams also receive the notebooks the exploits are demonstrated on, as well as “Master of Pwn” points for the overall competition.

Pwn2Own 2019 is a hacking competition organized by Trend Micro’s Zero Day Initiative that is taking place in Vancouver, Canada, in which white-hat hackers are offered financial incentives to hack certain products and services.

While the hackers receive payment for their work, the competition warns developers and companies about existing security issues in a responsible manner. The competition notifies companies like Apple, allowing them to improve their platform security

P.S. - Like our news? Support the site: become a Patreon subscriber. Or shop with our Amazon link, or buy us a coffee! We use affiliate links when possible--thanks for supporting independent media.