Amaya Toman White Hat hackers discovered two security flaws in the Safari browser at a security conference in Vancouver. One of them is even able to tweak its permissions to the point of taking complete control of your Mac. The first of the bugs discovered was able to leave the sandbox - a virtual security measure that allows applications to access only their own and system data.
The competition was started by the Fluoroacetate team, whose members were Amat Cama and Richard Zhu. The team specifically targeted the Safari web browser, successfully attacked it and left the sandbox. The entire operation took almost the entire allotted time limit for the team. The code was only successful the second time, and showing the bug earned Team Fluoroacetate $55K and 5 points towards the Master of Pwn title.
The second bug revealed allowed root and kernel access on a Mac. The bug was demonstrated by the phoenhex & qwerty team. While browsing their own website, team members managed to activate a JIT bug followed by a series of tasks leading to a full system attack. Apple knew about one of the bugs, but demonstrating the bugs earned participants $45 and 4 points toward the Master of Pwn title.
The organizer of the conference is Trend Micro under the banner of its Zero Day initiative (ZDI). This program was created to encourage hackers to privately report vulnerabilities directly to companies instead of selling them to the wrong people. Financial rewards, acknowledgments and titles should be the motivation for hackers.
Interested parties send the necessary information directly to ZDI, which collects the necessary data about the provider. Researchers employed directly by the initiative will then check the stimuli in special testing laboratories and then offer the discoverer a reward. It is paid immediately after its approval. During the first day, ZDI paid out over 240 dollars to experts.
Safari is a common entry point for hackers. At last year's conference, for example, the browser was used to take control of the Touch Bar on a MacBook Pro, and on the same day, attendees at the event demonstrated other browser-based attacks.
Source: The ZDI
