This year’s annual PWN2OWN hackfest saw a team of Chinese vulnerability and exploit developers take down Apple’s Safari web browser on OS X by exploiting a WebKit flaw, and circumvent Apple’s sandbox via an OS X system-level vulnerability. However, the hackers say as a whole, OS X is tough to exploit and overall it’s a secure system.
Every year for the past seven years, hackers have gathered at the annual PWN2OWN event to hack high-profile software and mobile devices using previously unknown vulnerabilities. Apple’s Safari browser and iOS platform are often included in the annual contest, which also targets Internet Explorer, Chrome, Firefox, and Adobe’s Flash and Reader applications.
China’s Keen team exploited two vulnerabilities that allowed them to execute arbitrary code. They exploited a Safari WebKit flaw, and circumvented Apple’s OS X sandbox via a system-level vulnerability.
Although the team was able to exploit flaws in the system, the Keen team noted that Apple’s operating system is overall quite secure.
“For Apple, the OS is regarded as very safe and has a very good security architecture,” Keen team member Liang Chen said. “Even if you have a vulnerability, it’s very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems.”
Apple representatives were present during the contest, and the have been made aware of the exploits used by the team in the contest.