Safari Browser was Cracked Twice on Hacking Contest Pwn2Own 2018
At the annual hacking contest Pwn2Own 2018 held on Wednesday, Trend Micro held a Zero Day Initiative (ZDI) event with two attacks against the Apple Safari browser, one of which was a success. According to the details shared by the blog, Samuel Groß from phoenhex succeeded in invading Safari with three BUG chains containing macOS privilege vulnerability.
What is Pwn2Own?
At Pwn2Own, participating hackers are about cracking software under time pressure. If you succeed, you will receive a prize money. The vulnerabilities that hackers are using at this time are not yet publicly known. This is known as zero-day security vulnerability.
Pwn2Own hacking competition has been held since 2007, aiming at encourages hackers to discover and disclose a range of vulnerabilities that affect software and hardware, making it easier for manufacturers to fix them in time. Hackers can obtain cash rewards and master PWN integrals as long as they successfully display the exploit in the competition. From Safari to iPhone, many of Apple’s products have been the targets over the past 11 years, and the hacker made it successfully, including this year. Last year, the iPhone 7 was cracked by Richard Zhu.
Safari Browser was Cracked Twice
Three hackers Alex Plaskett, Georgi Geshev and Fabi Beterk who come from MWR laboratory, breaking the sandbox mode of Safari through two vulnerabilities, one was the heap buffer overflow vulnerability in the browser, and the other is the uninitialized stack variable vulnerability of the macOS. As the result, the team also received nearly $55,000 and five PWN points.
The second team who has broken the Safari is from Ret2 Systems Company, including members of Markus Gaasedele, Nick Burnett and Patrick Biernat, who took advantage of the macOS kernel to raise privilege vulnerabilities to attack Safari, but they didn’t really exploit the vulnerability until the fourth try.
Security researcher Richard Zhu, hacked Microsoft’s Edge and Mozilla’s Firefox. He got the most prize money (120,000 US dollars). Apple’s Safari has been hacked successfully by Samuel Gross.
The prize money on the Pwn2Own vary. Someone would have received $ 250,000 if he had cracked Microsoft’s Hyper-V virtualization solution within the given timeframe.