Pwn2Own hackers uncover macOS and Safari exploits

“The seventeenth annual CanSecWest security conference is underway in downtown Vancouver, British Columbia, where researchers are competing in the 10th anniversary Pwn2Own computer hacking contest for over $1 million in prizes,” Tim Hardwick reports for MacRumors.

“Independent hackers Samuel Groß and Niklas Baumstark landed a partial success and earned $28,000 after targeting Safari with an escalation to root on macOS, which allowed them to scroll a message on a MacBook Pro Touch Bar,” Hardwick reports. “Later in the day, Chaitin Security Research Lab also targeted Safari with an escalation to root on macOS, finding success using a total of six bugs in their exploit chain… The combined efforts earned the team $35,000.”

Hardwick reports, “Apple representatives have attended the Pwn2Own contest in the past, and affected parties are made aware of all security vulnerabilities discovered during the contest in order to patch them.”

Read more in the full article here.

MacDailyNews Take: As always, the more issues the white hats find, the better!


        1. Rather a ‘security claim’ stated by Windoze users to malign Macs one way or another. Either ‘No one buys Macs’ OR ‘Macs have fewer viruses because there are so few of them out there’.

        2. Security Through Obscurity has been used as an excuse for the better security of Macs versus everything else. Sadly, for Windows apologists, the argument turned out to be a joke compared to the orders of magnitude higher amount of malware on their chosen OS.

          BUT! There is no doubt some obscurity effect for both Linux and macOS. The general concept is that crooks grab for the low hanging fruit, the most available. That’s clearly Windows and Android. Thus the less available OSes gain some small benefit. Meanwhile, a lot of other factors, of course ignored by Apple haters or Linus haters, in involved that make their operating systems foundationally safer. (Hint: BSD Unix).

      1. There are typically one or two. The details of these exploits are important as they very often require what amounts to a planted LUSER sitting at the keyboard of the computers involved who *allows* something to be installed, resulting in PWNage. The most dangerous PWNs are those that require no LUSER participation, IOW no Trojan horse.

        Meanwhile, as an Apple security watcher, I can point to an often VERY long list of CVEs (common vulnerabilities and exposures) in updates of both macOS and WebKit (which is the core of Safari). IOW: There’s nothing perfect about Apple software. It’s simply better than most and better protected (XProtect, Gatekeeper, Apple Mac App Store, etc.)

    1. What makes it more annoying is that the contest disqualifies any hack based on a previously announced one. This means that each one that is considered successful is different from the others.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.