|
Title: Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest Post by: HCK on April 11, 2021, 04:05:13 pm Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest
Each year, the Zero Day Initiative hosts a "Pwn2Own" hacking contest where security researchers can earn money for finding serious vulnerabilities in major platforms like Windows and macOS. <div class="center-wrap"><iframe title="YouTube video player" src="https://www.youtube.com/embed/dA3aIMgRFY8" width="560" height="315" frameborder="0" allowfullscreen="allowfullscreen"></iframe></div> This 2021 Pwn2Own virtual event kicked off earlier this week and featured 23 separate hacking attempts across 10 different products including web browsers, virtualization, servers, and more. A three-day affair that spans multiple hours a day, this year's Pwn2Own event was livestreamed on YouTube. Apple products were not heavily targeted in Pwn2Own 2021, but on day one, Jack Dates from RET2 Systems executed a Safari to kernel zero-day exploit and earned himself $100,000. He used an integer overflow in Safari and an OOB write to get kernel-level code execution, as demoed in the tweet below. <div class="center-wrap"><blockquote class="twitter-tweet"><p lang="en" dir="ltr">Congratulations Jack! Landing a 1-click Apple Safari to Kernel Zero-day at #Pwn2Own (https://twitter.com/hashtag/Pwn2Own?src=hash&ref_src=twsrc%5Etfw) 2021 on behalf of RET2: https://t.co/cfbwT1IdAt (https://t.co/cfbwT1IdAt) pic.twitter.com/etE4MFmtqs (https://t.co/etE4MFmtqs)</p>— RET2 Systems (@ret2systems) April 6, 2021 (https://twitter.com/ret2systems/status/1379457891724328964?ref_src=twsrc%5Etfw) <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></div> Other hacking attempts during the Pwn2Own event targeted Microsoft Exchange, Parallels, Windows 10, Microsoft Teams, Ubuntu, Oracle VirtualBox, Zoom, Google Chrome, and Microsoft Edge. A serious Zoom flaw was demonstrated by Dutch researchers Daan Keuper and Thijs Alkemade, for example. The duo exploited a trio of flaws to get total control of a target PC using the Zoom app with no user interaction. <div class="center-wrap"><blockquote class="twitter-tweet"><p lang="en" dir="ltr">We're still confirming the details of the #Zoom (https://twitter.com/hashtag/Zoom?src=hash&ref_src=twsrc%5Etfw) exploit with Daan and Thijs, but here's a better gif of the bug in action. #Pwn2Own (https://twitter.com/hashtag/Pwn2Own?src=hash&ref_src=twsrc%5Etfw) #PopCalc (https://twitter.com/hashtag/PopCalc?src=hash&ref_src=twsrc%5Etfw) pic.twitter.com/nIdTwik9aW (https://t.co/nIdTwik9aW)</p>— Zero Day Initiative (@thezdi) April 7, 2021 (https://twitter.com/thezdi/status/1379855435730149378?ref_src=twsrc%5Etfw) <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></div> Pwn2Own participants received more than $1.2 million in rewards for the bugs they discovered. Pwn2Own gives vendors like Apple 90 days to produce a fix for the vulnerabilities that are uncovered, so we can expect the bug to be addressed in an update in the not too distant future.<div class="linkback">Tag: Safari (https://www.macrumors.com/guide/safari/)</div> This article, "Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest (https://www.macrumors.com/2021/04/08/pwn2own-safari-exploit-demonstrated/)" first appeared on MacRumors.com (https://www.macrumors.com) Discuss this article (https://forums.macrumors.com/threads/security-researcher-earns-100-000-for-safari-exploit-in-pwn2own-hacking-contest.2291100/) in our forums <div class="feedflare"> <img src="http://feeds.feedburner.com/~ff/MacRumors-Front?d=yIl2AUoC8zA" border="0"></img> (http://feeds.macrumors.com/~ff/MacRumors-Front?a=iDCruzzDyPQ:kBZTvBiHasw:yIl2AUoC8zA) <img src="http://feeds.feedburner.com/~ff/MacRumors-Front?d=6W8y8wAjSf4" border="0"></img> (http://feeds.macrumors.com/~ff/MacRumors-Front?a=iDCruzzDyPQ:kBZTvBiHasw:6W8y8wAjSf4) <img src="http://feeds.feedburner.com/~ff/MacRumors-Front?d=qj6IDK7rITs" border="0"></img> (http://feeds.macrumors.com/~ff/MacRumors-Front?a=iDCruzzDyPQ:kBZTvBiHasw:qj6IDK7rITs) </div><img src="http://feeds.feedburner.com/~r/MacRumors-Front/~4/iDCruzzDyPQ" height="1" width="1" alt=""/> Source: Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest (https://www.macrumors.com/2021/04/08/pwn2own-safari-exploit-demonstrated/) |