Pages: [1]   Go Down
  Print  
Author Topic: Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest  (Read 222 times)
HCK
Global Moderator
Hero Member
*****
Posts: 79425



« on: April 11, 2021, 04:05:13 pm »

Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest

Each year, the Zero Day Initiative hosts a "Pwn2Own" hacking contest where security researchers can earn money for finding serious vulnerabilities in major platforms like Windows and macOS.





<div class="center-wrap"><iframe title="YouTube video player" src="https://www.youtube.com/embed/dA3aIMgRFY8" width="560" height="315" frameborder="0" allowfullscreen="allowfullscreen"></iframe></div>


This 2021 Pwn2Own virtual event kicked off earlier this week and featured 23 separate hacking attempts across 10 different products including web browsers, virtualization, servers, and more. A three-day affair that spans multiple hours a day, this year's Pwn2Own event was livestreamed on YouTube.





Apple products were not heavily targeted in Pwn2Own 2021, but on day one, Jack Dates from RET2 Systems executed a Safari to kernel zero-day exploit and earned himself $100,000. He used an integer overflow in Safari and an OOB write to get kernel-level code execution, as demoed in the tweet below.





<div class="center-wrap"><blockquote class="twitter-tweet"><p lang="en" dir="ltr">Congratulations Jack! Landing a 1-click Apple Safari to Kernel Zero-day at #Pwn2Own 2021 on behalf of RET2: https://t.co/cfbwT1IdAt pic.twitter.com/etE4MFmtqs</p>&mdash; RET2 Systems (@ret2systems) April 6, 2021 <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></div>


Other hacking attempts during the Pwn2Own event targeted Microsoft Exchange, Parallels, Windows 10, Microsoft Teams, Ubuntu, Oracle VirtualBox, Zoom, Google Chrome, and Microsoft Edge.





A serious Zoom flaw was demonstrated by Dutch researchers Daan Keuper and Thijs Alkemade, for example. The duo exploited a trio of flaws to get total control of a target PC using the Zoom app with no user interaction.





<div class="center-wrap"><blockquote class="twitter-tweet"><p lang="en" dir="ltr">We're still confirming the details of the #Zoom exploit with Daan and Thijs, but here's a better gif of the bug in action. #Pwn2Own #PopCalc pic.twitter.com/nIdTwik9aW</p>&mdash; Zero Day Initiative (@thezdi) April 7, 2021 <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></div>


Pwn2Own participants received more than $1.2 million in rewards for the bugs they discovered. Pwn2Own gives vendors like Apple 90 days to produce a fix for the vulnerabilities that are uncovered, so we can expect the bug to be addressed in an update in the not too distant future.<div class="linkback">Tag: Safari</div>
This article, &quot;Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest&quot; first appeared on MacRumors.com

Discuss this article in our forums

<div class="feedflare">
<img src="[url]http://feeds.feedburner.com/~ff/MacRumors-Front?d=yIl2AUoC8zA" border="0"></img>[/url] <img src="[url]http://feeds.feedburner.com/~ff/MacRumors-Front?d=6W8y8wAjSf4" border="0"></img>[/url] <img src="[url]http://feeds.feedburner.com/~ff/MacRumors-Front?d=qj6IDK7rITs" border="0"></img>[/url]
</div><img src="http://feeds.feedburner.com/~r/MacRumors-Front/~4/iDCruzzDyPQ" height="1" width="1" alt=""/>

Source: Security Researcher Earns $100,000 for Safari Exploit in Pwn2Own Hacking Contest
Logged
Pages: [1]   Go Up
  Print  
 
Jump to: