The Pwn2Own security conference and competition sees many impressive exploits discovered every year and 2017 is no different. We’ve seen a number of successes (via MacRumors) that have cracked open the Linux Kernel, Adobe Reader, and Microsoft’s Edge browser. A few hacks managed to breach Apple security, too, which is what let one team post their message to the Touch Bar.
Samuel Groß and Niklas Baumstark used a number of logic bugs to exploit the Safari browser and eventually take root control of the MacOS on a MacBook Pro. While that itself granted them their monetary prize and nine points in the Pwn2Own competition, they impressed onlookers even more by adding a custom message to the Touch Bar which read: “pwned by niklasb and saelo.”
Baumstark later explained on Twitter why the hack was only considered a partial success, despite its efficacy.
— Niklas Baumstark (@_niklasb) March 15, 2017
The contest, which is offering over a million dollars in prizes this year, has seen another group utilize an exploit in Safari to earn some points and funds for themselves. The Chaitin Security Research Lab successfully breached Safari to gain root access on MacOS. Because its goal was seen as a full, rather than a partial success, it earned $35,000 and 11 points for its trouble — though there were no props given for Touch Bar takeover in this case.
Although other teams also attempted to breach Safari with an escalation to root on MacOS, they couldn’t manage it within their allotted time.
As impressive as the first day of Pwn2Own 2017 has been though, there is still much more to come. The schedule for day two is now live and shows a lot of people and teams getting ready to try to crack open many pieces of commercial software, including the MacOS. We’ll no doubt learn more about their efforts when the results are posted later today.
Thanks to Trend Micro for sending through the header video.
- Tesla Model 3 vulnerability exposed at Pwn2Own; hackers take home the car
- Researchers exploit flaws in two browsers installed on MacOS devices
- Microsoft Edge browser fails to fend off five attacks at Pwn2Own hacking event
- Hacked in 18 seconds: PwnFest exploited Microsoft Edge to execute malicious code
- MacBook Pro 15 (with Touch Bar): Our first take