Hackers exploit holes in Safari and take control of Mac at Pwn2Own 2019

It is officially open in Vancouver (Canada) to Pwn2Own 2019This year's edition of the hacking conference puts experts in thrilling challenges in search of the most difficult or unlikely invasions of digital systems. As usual, the browser was not left out of the process. Safari, which had two exploited breaches, and in one case even allowed full access to the Mac in which it lived.

The most notable flaw was exploited by the group Phoenhex & Qwerty: Hackers have managed to bypass browser defense mechanisms with a series of processes started with a JIT bug (just in time). In the end, the team was able to gain access on root (root), but even to the kernel (core) of the Mac in question ie complete control over all aspects of the machine.

The group has invoiced $ 45,000 for the discovery and took home the Mac used to invade; The prize was not higher because Apple was already aware of one of the bugs used in the venture and therefore should fix it soon.

The second successfully exploited bug in Safari was the work of the group Fluoroacetate: they managed to escape the sandbox browser with an integer overflow technique (integer overflow). The team billed $ 55,000 and could have made even more money had the technique not occupied almost all of the time given up for the operation; As this is a brute force attack (by trial and error), a long time passed while the machine tried to execute the correct code.

Other software and equipment successfully attacked on the first day of Pwn2Own include the VMWare Workstation it's the Oracle VirtualBox; In total, US $ 240,000 has been awarded in prizes and the challenges are still in full swing there.

via AppleInsider