Posted on 03/21/2019 10:57:40 AM PDT by Swordmaker
White-hat hackers at a security conference in Vancouver have found two zero-day Safari exploits, one of which allowed them to escalate their privileges to the point that they were able to completely take over the Mac …
The first exploit managed to escape the sandbox, a protection macOS uses to ensure that apps only have access to their own data, and any system data permitted by Apple.
The contest started with the team of Fluoroacetate (Amat Cama and Richard Zhu) targeting the Apple Safari web browser. They successfully exploited the browser and escaped the sandbox by using an integer overflow in the browser and a heap overflow to escape the sandbox. The attempt nearly took the entire allowed time because they used a brute force technique during the sandbox escape. The code would fail then try again until it succeeded. The demonstration earned them $55,000 USD and 5 points towards Master of Pwn.
The second got rather further, gaining both root and kernel access to the Mac.
The final entry in Day One saw the phoenhex & qwerty team (@_niklasb @qwertyoruiopz and @bkth_) targeting Apple Safari with a kernel elevation. They demonstrated a complete system compromise. By browsing to their website, they triggered a JIT bug followed by a heap out-of-bounds (OOB) read – used twice – then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug. Unfortunately, it was only a partial win since Apple already know of one of the bugs used in the demo. Still, they earned themselves $45,000 USD and 4 points towards Master of Pwn.ZDI
Safari is a common access point for hackers. Last year’s conference saw one zero-day Safari exploit used to take control of the Touch Bar on the MacBook Pro, with three more Safari-based exploits demonstrated the following day.
The event was hosted by Trend Micro under the branding of its Zero Day Initiative (ZDI). The program was created to encourage hackers to privately report vulnerabilities to the companies concerned rather than sell them to bad actors. ZDI does this by offering financial rewards and kudos.
Interested researchers provide us with exclusive information about previously un-patched vulnerabilities they have discovered. The ZDI then collects background information in order to validate the identity of the researcher strictly for ethical and financial oversight. Our internal researchers and analysts validate the issue in our security labs and make a monetary offer to the researcher. If the researcher accepts the offer, a payment will be promptly made. As a researcher discovers and provides additional vulnerability research, bonuses and rewards can increase through a loyalty program similar to a frequent flier program.
Trend Micro uses the vulnerability information to create protection for its customers, while simultaneously notifying the vendor – in this case Apple – so that they can fix the problem.
ZDI paid out a total of $240k on the first day.
As per its usual practice, ZDI will not release detailed information on the exploits until Apple has confirmed that it has fixed them in a macOS update.
If you want on or off the Mac Ping List, Freepmail me.
Any recommendations on a program for protecting a Mac ... generally? I have the MacBook Air (the new one) and then I’m getting a new iMac soon. Just wondering if there is any one program that is better than the others in protecting the Mac.
Nice to get back here again, with other Macintosh users. I’ve been away from Free Republic for quite a while. Glad you’re still ‘at it’ with Macintosh ... Swordmaker!
Nice to see you back Star Traveler.
Like any computer, lock it in a closet and throw away the key.
Welcome back. . . The advice is still to let the OS do it. Occasionally run a free version of Mac version of Malwarebytes to see if any Windows stuff might be lurking around you could be sending out.
This crap will never end.
System exploits and Mohammedan Madness. Examples of the neverending story.
There are always exploits. That is the whole point of white hat activities like this contest. Nothing to see here.
_____________________________________________________
Another good example of security just being an illusion, eh Swordie?
Thanks ... and I’ll check that out.
LOL ...
What do you think of the Epic browser on the Mac?
I’ve been using it a little.
It looks like a good privacy priority alternative browser to me. Don’t use it to log into gmail, per Epic’s own advice.
True or false - these “hacks” required physical access to the computer in question? Or does it require tricking a user (running an account with admin privileges) into clicking a link to a nefarious web page?
Thank you!
True and true.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
