The annual CanSecWest security conference is taking place in Vancouver, Canada, and with it, one of the largest hacker fairs in the world, the Pwn2Own 2018, where experts compete for cash prizes (which add up to $ 2 million!) in search of loopholes and control of operating systems and software.
Just like in 2016 and 2017, our good old Safari it's the macOS as a whole ended up leaving as one of the competition's victims. The hacker Samuel ?5aelo? Grogroup phoenhex, explored a bug related to JIT optimization in Apple's browser; he combined this loophole with a macOS logical bug to get out of sandbox, and with a change in kernel of the system to take control of the browser.
To signal the achievement, Gro left a message on the Touch Bar of the MacBook Pro he was working on. The hacker received an award for $ 65k and six points in the search for the title "Master of Pwn", which names the most successful hacker at the fair. The gap discovered by Gro has been properly reported to Apple and is expected to close very soon.
Pwn2Own, which, yesterday, also saw Microsoft and Oracle systems being invaded today will have its second day of sessions and new loopholes may be discovered in the world of Ma and in other parts of the technological universe. We, of course, will keep an eye out.
Update 03/16/2018 s 15:10
On the second day of Pwn2Own, the Safari it remained a (relatively) easy target for hackers and teams there so much so that two more browser holes were exploited today by the same team.
Hackers Georgi Geshev, Alex Plaskett and Fabi Beterke of the MWR Labs group used two vulnerabilities in Apple's browser to get out of sandbox and take control system; with the conquest, they won $ 55k and five points in the search for the title "Master of Pwn".
Meanwhile, another team of Mark2 Gaasedelen, Nick Burnett and Patrick Biernat of Ret2 Systems managed to take control of the system by taking advantage of a vulnerability in kernel macOS and applying it against Safari. However, the challenge was completed only after the proposed time (half an hour) and the team was not awarded.
In total, this edition of Pwn2Own distributed $ 267,000 in prizes, with hacker Richard Zhu being nominated "Master of Pwn" of the event and taking home $ 120,000. Not bad, huh?