Security researches competing at the annual Pwn2own conference yesterday uncovered two zero-day vulnerabilities in Safari. Two teams successfully exploited the bugs they found to achieve root access to macOS, while a third attempt failed.
Eleven teams are competing for a total $1M prize pot, with three of the ten attempts to date targeting Safari …
Chaitin Security Research Lab chained together an exploit that took advantage of sex separate bugs to escalate their access to root on macOS, winning a $35,000 prize.
Samuel Groß and Niklas Baumstark won $28,000 for exploiting five bugs to display a message on the Touch Bar of a 2016 MacBook Pro.
Full details of both exploits will be provided to Apple so that the bugs can be fixed before they are made public.
The conference and competition continue today, though the targets have not yet been announced.
Safari is regularly targeted in the competition, the most embarrassing success being back in 2011 against Safari 5.0.4. French security firm Vupen took just five seconds to exploit a vulnerability in the browser to gain root access to a MacBook Air, winning the machine as part of their prize. In 2014, one team successfully exploited two Safari bugs in the iOS version to take control of an iPhone 5s, while another gained root access on the Mac, though noted that OS X security was better than other platforms.