![Two Safari Exploits Demonstrated at Pwn2Own Vancouver 2019, One Resulted in Complete System Compromise [Video]](/images/news/69997/341846/341846-64.png "Two Safari Exploits Demonstrated at Pwn2Own Vancouver 2019, One Resulted in Complete System Compromise [Video]")
Two Safari Exploits Demonstrated at Pwn2Own Vancouver 2019, One Resulted in Complete System Compromise [Video]
Posted March 21, 2019 at 5:14pm by
Shalom Levytam
Two groups of hackers demonstrated zero-day exploits of Apple's Safari web browser at Pwn2Own Vancouver 2019 yesterday with one of the exploits leading to a complete system compromise.
The Fluoroacetate team, consisting of Amat Cama and Richard Zhu, successfully exploited the browser and escaped the sandbox by using an integer overflow in the browser and a heap overflow. The attempt nearly took the entire allowed time because they used a brute force technique during the sandbox escape. The code would fail then try again until it succeeded. The demonstration earned them $55,000 USD and 5 points towards Master of Pwn.
Ending the day, phoenhex & qwerty team (@_niklasb @qwertyoruiopz and @bkth_) targeting Apple Safari with a kernel elevation. Browsing to a website, the team triggered a JIT bug followed by a heap out-of-bounds (OOB) read – used twice – then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug. Despite achieving complete system compromise it was only a partial win since Apple already knows about one of the bugs used. They earned $45,000 USD and 4 points towards Master of Pwn.
Take a look at the video below for more of the day's results...
The Fluoroacetate team, consisting of Amat Cama and Richard Zhu, successfully exploited the browser and escaped the sandbox by using an integer overflow in the browser and a heap overflow. The attempt nearly took the entire allowed time because they used a brute force technique during the sandbox escape. The code would fail then try again until it succeeded. The demonstration earned them $55,000 USD and 5 points towards Master of Pwn.
Ending the day, phoenhex & qwerty team (@_niklasb @qwertyoruiopz and @bkth_) targeting Apple Safari with a kernel elevation. Browsing to a website, the team triggered a JIT bug followed by a heap out-of-bounds (OOB) read – used twice – then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug. Despite achieving complete system compromise it was only a partial win since Apple already knows about one of the bugs used. They earned $45,000 USD and 4 points towards Master of Pwn.
Take a look at the video below for more of the day's results...
![Low-Cost MacBook Colors Were Originally Planned for M2 MacBook Air [Rumor]](/images/news/99984/99984/99984-160.jpg "Low-Cost MacBook Colors Were Originally Planned for M2 MacBook Air [Rumor]")
![Apple Seeds Xcode 26.3 RC 2 With Claude 4.6 Support [Download]](/images/news/99980/99980/99980-160.jpg "Apple Seeds Xcode 26.3 RC 2 With Claude 4.6 Support [Download]")
![Apple Watch Series 11 Now $299, 46mm Model Also at Record Low [Deal]](/images/news/99986/99986/99986-160.jpg "Apple Watch Series 11 Now $299, 46mm Model Also at Record Low [Deal]")
![Expired: Save $900 on Apple's 11-Inch M4 iPad Pro 2TB With Nano-Texture Glass [Deal]](/images/news/99982/99982/99982-160.jpg "Expired: Save $900 on Apple's 11-Inch M4 iPad Pro 2TB With Nano-Texture Glass [Deal]")
![11-Inch M5 iPad Pro Hits New All-Time Low at $799.91 [Deal]](/images/news/99962/99962/99962-160.jpg "11-Inch M5 iPad Pro Hits New All-Time Low at $799.91 [Deal]")
![11-inch M5 iPad Pro (1TB) Drops to All-Time Low of $1,449 [Deal]](/images/news/99924/99924/99924-160.jpg "11-inch M5 iPad Pro (1TB) Drops to All-Time Low of $1,449 [Deal]")
![Original AirTag Drops to All-Time Low Price of $17 [Deal]](/images/news/99856/99856/99856-160.jpg "Original AirTag Drops to All-Time Low Price of $17 [Deal]")
