“The seventeenth annual CanSecWest security conference is underway in downtown Vancouver, British Columbia, where researchers are competing in the 10th anniversary Pwn2Own computer hacking contest for over $1 million in prizes,” Tim Hardwick reports for MacRumors.
“Independent hackers Samuel Groß and Niklas Baumstark landed a partial success and earned $28,000 after targeting Safari with an escalation to root on macOS, which allowed them to scroll a message on a MacBook Pro Touch Bar,” Hardwick reports. “Later in the day, Chaitin Security Research Lab also targeted Safari with an escalation to root on macOS, finding success using a total of six bugs in their exploit chain… The combined efforts earned the team $35,000.”
Hardwick reports, “Apple representatives have attended the Pwn2Own contest in the past, and affected parties are made aware of all security vulnerabilities discovered during the contest in order to patch them.”
Read more in the full article here.
MacDailyNews Take: As always, the more issues the white hats find, the better!
Maybe it’s time to switch to Linux
Linux has its own security and malware problems.
But it does have security through obscurity, the longstanding Mac security claim!
Rather a ‘security claim’ stated by Windoze users to malign Macs one way or another. Either ‘No one buys Macs’ OR ‘Macs have fewer viruses because there are so few of them out there’.
Security Through Obscurity has been used as an excuse for the better security of Macs versus everything else. Sadly, for Windows apologists, the argument turned out to be a joke compared to the orders of magnitude higher amount of malware on their chosen OS.
BUT! There is no doubt some obscurity effect for both Linux and macOS. The general concept is that crooks grab for the low hanging fruit, the most available. That’s clearly Windows and Android. Thus the less available OSes gain some small benefit. Meanwhile, a lot of other factors, of course ignored by Apple haters or Linus haters, in involved that make their operating systems foundationally safer. (Hint: BSD Unix).
From the source article:
Other software successfully targeted by contestants include Adobe Reader, Ubuntu Desktop, and Microsoft Edge on Windows.
I am grateful than someone is assisting Apple to make Apple’s software more safe and secure.
The Pwn Contest results are being posted here. There will be more results at the end of today:
WELCOME TO PWN2OWN 2017 – THE SCHEDULE
Maybe it’s just me but there sure seems to be more macOS and Safari exploits being shown this year.
There are typically one or two. The details of these exploits are important as they very often require what amounts to a planted LUSER sitting at the keyboard of the computers involved who *allows* something to be installed, resulting in PWNage. The most dangerous PWNs are those that require no LUSER participation, IOW no Trojan horse.
Meanwhile, as an Apple security watcher, I can point to an often VERY long list of CVEs (common vulnerabilities and exposures) in updates of both macOS and WebKit (which is the core of Safari). IOW: There’s nothing perfect about Apple software. It’s simply better than most and better protected (XProtect, Gatekeeper, Apple Mac App Store, etc.)
Wow you mean that Mac Book Pro would of shipped with more memory it would of not been as easy to hack?
The links to each day’s Pwn-To-Own results are here:
https://www.zerodayinitiative.com/blog/?tag=Pwn2Own
–>Further HACKS of macOS and Safari succeeded on Day Two.
Grrrr!
Apple? Are you paying ATTENTION?!?!?
There’s security work to do.
What makes it more annoying is that the contest disqualifies any hack based on a previously announced one. This means that each one that is considered successful is different from the others.