Two sets of white-hat hackers competing at the annual Pwn2own conference on Wednesday uncovered two zero-day vulnerabilities in Apple’s Safari browser. Three teams competed to successfully exploit bugs they found to achieve root access to macOS.
9to5Mac reports eleven teams in total are competing for a total of $1 million in prize money at the 10th annual conference. Three of the teams attempted to exploit the Safari bug. Two of the three were successful.
Chaitin Security Research Lab chained together an exploit that took advantage of sex separate bugs to escalate their access to root on macOS, winning a $35,000 prize.
Samuel Groß and Niklas Baumstark won $28,000 for exploiting five bugs to display a message on the Touch Bar of a 2016 MacBook Pro.
Organizers of the competition will furnish full details of the exploits to Apple so the Cupertino firm can fix the bugs before they are made public. The conference and the competition will continue today.
Previous years have seen Safari as a popular target in the competition. Back in 2011 it took just five seconds for French security firm Vupen to exploit a vulnerability in Safari 5.0.4 to gain root access to a MacBook Air. The team took home the machine as part of their winnings.
2014 saw a team exploit two bugs in the iOS version of Safari to take control of an iPhone 5s. That same year, a Chinese hacking team gained root access to a Mac. Although the team was able to exploit flaws in the system, the Keen team noted that Apple’s operating system is overall quite secure.
“For Apple, the OS is regarded as very safe and has a very good security architecture,” Keen team member Liang Chen said. “Even if you have a vulnerability, it’s very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems.”