It’s “Pwn2Own” time again, and on day one, a security researcher scored himself a $100,000 prize for executing a Safari to kernel zero-day exploit.
On day one of the virtual event, Jack Dates from RET2 Systems executed a Safari to kernel zero-day exploit and earned himself $100,000. He used an integer overflow in Safari and an OOB write to get kernel-level code execution.
Congratulations Jack! Landing a 1-click Apple Safari to Kernel Zero-day at #Pwn2Own 2021 on behalf of RET2: https://t.co/cfbwT1IdAt pic.twitter.com/etE4MFmtqs
— RET2 Systems (@ret2systems) April 6, 2021
Each year, the Zero Day Initiative hosts a “Pwn2Own” hacking contest where security researchers can score money for discovering and executing attacks against serious vulnerabilities in major operating systems like macOS and Windows.
This year’s Pwn2Own event was live-streamed on YouTube. The 2021 event included 23 separate hacking attempts across 10 different products including web browsers, virtualization, servers, and more.
Security researchers attempted hacks targeting Microsoft Exchange, Parallels, Windows 10, Microsoft Teams, Ubuntu, Oracle VirtualBox, Zoom, Google Chrome, and Microsoft Edge.
Pwn2Own security researcher participants earned more than $1.2 million in rewards for the various bugs they discovered. Vendors like Apple are given 90 days to produce a fix for the vulnerabilities that are uncovered before they are revealed to the public, so a fix for the bug can likely be expected in an update in the near future.