Researchers found two Safari Zero Day Exploits at Pwn2Own

Researchers have found two zero-day exploits in Apple’s Safari browser at the seventeenth annual CanSecWest security conference in downtown Vancouver, British Columbia.

The security researchers from all over the world are competing at the 10th anniversary of Pwn2Own computer hacking contest for over $1 million prize money in order to find security flaws in popular software and mobile devices.

Results of day one have been published at the website dedicated for the  Zero Day Initiative. Independent hackers Samuel Groß and Niklas Baumstark has earned $28,000 for a partial success in finding an escalation to root on MacOS,  which allowed them to scroll a message on a MacBook Pro Touch Bar.

"In a partial win, Samuel Groß (@5aelo) and Niklas Baumstark (@_niklasb) earn some style points by leaving a special message on the touch bar of the Mac. They used a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate to root in MacOS. They still managed to earn $28,000 USD and 9 Master of Pwn points."

The other half was solved by the team of security researchers from Chaitin Security Research Lab, they were successful in finding six bugs in their exploit chain, including "an info disclosure in Safari, four type confusion bugs in the browser, and a UAF in WindowServer". The combined efforts earned the team $35,000.

 According to published details, the other participating teams earned a total amount of $233,000, including a leading $105,000 earned by Tencent Security.  The participants targeted other softwares like Adobe Reader, Ubuntu Desktop, and Microsoft Edge on Windows.


Share this with Your friends: