Trend Micro's Zero Day Initiative kicked off its annual Pwn2Own hacking competition on Wednesday with two attempts to exploit Apple's Safari web browser, one of which was successful.
Samuel Groß of phoenhex
hacked Safari with a three bug chain containing a macOS elevation of privilege vulnerability, according to the convention's blog.
A press release provided additional detail, saying the exploit modified text on a MacBook Pro's touchbar. Groß received $65,000 for his efforts and six points toward the coveted Master of Pwn title.
A separate Safari exploit was attempted by Richard Zhu, who bypassed iPhone 7 security protocols using two Safari bugs at the Mobile Pwn2Own event
in November. At Pwn2Own 2018, Zhu was unable to get his sandbox escape up and running within the allotted 30 minute time limit.
Zhu did, however, successfully target Microsoft Edge with a Windows kernel EoP, specifically two use after free (UAF) vulnerabilities and an integer overflow in the kernel.
Groß's phoenhex teammate Niklas Baumstark also saw partial success in a bug targeting Oracle VirtualBox.
