I guess MacBook Pro’s Touch Bar isn’t as secure as we thought. Security researchers demonstrated multiple hacks of macOS on the first day of Pwn2Own 2017, including one that left a special message on the new MacBook’s TouchBar.
Zero Day Initiative details the successful hacks of the day:
Samuel Groß (@5aelo) and Niklas Baumstark (_niklasb) targeting Apple Safari with an escalation to root on macOS
● PARTIAL SUCCESS: In a partial win, Samuel Groß (@5aelo) and Niklas Baumstark (@_niklasb) earn some style points by leaving a special message on the touch bar of the Mac. They used a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate to root in macOS. They still managed to earn $28,000 USD and 9 Master of Pwn points.
Chaitin Security Research Lab (@ChaitinTech) targeting Apple Safari with an escalation to root on macOS
● SUCCESS: The Chaitin Security Research Lab (@ChaitinTech) successfuly exploited Apple Safari to gain root access on macOS by using a total of six bugs in their exploit chain including an info disclosure in Safari, four different type confusions bugs in the browser, and an a UAF in WindowServer. This earned the team $35,000 and 11 points towards Master of Pwn.
ZDI is offering more than $1,000,000 across different categories to see the latest research and will again crown a Master of Pwn at the end of three days.
This year’s event features 11 teams of contestants targeting products across four categories – 30 different attempts in total. Each contestant has three attempts within their allotted timeslot to demonstrate the exploit.
