Apple fixes Safari WebKit zero-day flaw exploited at Pwn2Own


Apple has released security updates to fix a zero-day vulnerability in the Safari web browser exploited during this year’s Pwn2Own Vancouver hacking competition.

The company addressed the security flaw (tracked as CVE-2024-27834) on systems running macOS Monterey and macOS Ventura with improved checks.

While Apple only said that the vulnerability was reported by Manfred Paul, working with Trend Micro’s Zero Day Initiative, this is one of the bugs the security researcher chained with an integer underflow bug to gain remote code execution (RCE) and earn $60,000 during Pwn2Own.

“An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication,” Apple explains in a Monday advisory.

Pointer authentication codes (PACs) are used on the arm64e architecture to detect and guard against unexpected changes to pointers in memory, with the CPU triggering app crashes following memory corruption events linked to authentication failures.

While Safari 17.5 is also available for iOS 17.5, iPadOS 17.5, macOS Sonoma 14.5, and visionOS 1.2, Apple has yet to confirm if it also patched the CVE-2024-27834 bug on these platforms.

If you run macOS Ventura or macOS Monterey, you can update Safari without updating macOS by going to  > System Settings > General > Software Update and clicking “More info…” under “Updates Available.”

Pwn2Own Vancouver 2024

Security researchers collected $1,132,500 after exploiting and reporting 29 zero-days at this year’s Vancouver hacking contest.

Manfred Paul emerged as the winner and earned $202,500 in cash after demoing an RCE zero-day combo against Apple’s Safari web browser and a double-tap RCE exploit targeting an Improper Validation of Specified Quantity in Input weakness in the Google Chrome and Microsoft Edge web browsers during the first day of the hacking competition.

On the second day, Manfred Paul exploited an out-of-bounds (OOB) write zero-day bug to gain RCE and escaped Mozilla Firefox’s sandbox via an exposed dangerous function weakness.

Google and Mozilla fixed the zero-days exploited at Pwn2Own Vancouver 2024 within days after the contest ended, with Google releasing patches five days later and Mozilla after just one day.

However, vendors rarely hurry to fix security flaws exploited at Pwn2Own since Trend Micro’s Zero Day Initiative publicly discloses bug details after 90 days.

On Monday, Apple also backported security patches released in March to older iPhones and iPads, fixing an iOS zero-day tagged as exploited in attacks.



Source link