MacOS's Safari vulnerability is discovered in hacking contests with a maximum prize of more than 200 million yen

byAsh Edmonds

A hacking contest of up to two million dollars (about 210 million yen) held at the support of Microsoft and VMware "Pwn 2 Own 2018Researchers have discovered vulnerabilities in macOS and Safari.

Researchers Uncover macOS and Safari Exploits at Pwn 2 Own 2018 - Mac Rumors
https://www.macrumors.com/2018/03/15/macos-safari-exploits-pwn2own-2018/


In the hacking contest "Pwn 2 Own", attempts are made to find security vulnerabilities by hacking the OS and browser to participants. Researchers discover serious vulnerabilities in macOS and Safari among Pwn 2 Own 2018 held since March 14, 2018, although victims who found vulnerabilities and succeeded in hacking can get prize money doing.

Pwn 2 Own 2018Schedule pageIt is written how hacking was done, according to thisSamuel GroßSays "I succeeded in exploiting Safari's vulnerability by using elevated privilege (EoP) in the macOS kernel."

Zero Day Initiative - Welcome to Pwn 2 Own 2018: The Schedule
https://www.thezdi.com/blog/2018/3/14/welcome-to-pwn2own-2018-the-schedule


According to Mac Rumors, Groß seems to have succeeded in executing code on the browser by using Safari's JIT compiler optimization bug, macOS logic bug, kernel privilege escalation, etc. With this, Groß has earned $ 65,000 (about 6.90 million yen) prize. With this hacking it seems possible to display text based messages on the Touch Bar part of the MacBook Pro.

Even at Pwn 2 Own 2017 Groß has succeeded in displaying a message on the Touch Bar part of MacBook Pro by promoting root authority and targeting Safari with macOS, which is about 28,000 dollars 3 million yen) of prize money.


In Pwn 2 Own 2018 another Safari related vulnerability was also used as a theme. What was used was two Safari related bugs discovered in the mobile event of Pwn 2 Own held in November 2017 and Richard Zhu challenged the hack that used this to bypass the security protocol of iPhone 7 Although it was not possible to make hacking successful within 30 minutes which is the time limit.

However, Mr. Zhu has twouse-after-freeWe have successfully hacked using a bug, executing code with high privilege and executing integer overflow attack on the kernel, and we have earned $ 7000 (about 740,000 yen) prize.

The total amount of prize earned by the team who participated in Pwn 2 Own 2018 on the first day is 16 million dollars (about 17 million yen). Three Apple-related bugs, two Oracle-related bugs, and three Microsoft-related bugs were found. The second day of the contest will start from 10 o'clock on the 15th local time and additional attacks targeting macOS and Safari will be attempted.