From the annual Pwn2Own exploit festival, held in Vancouver:
Fang Jiahong and Liang Chen represented the Keen Team at Pwn2Own on Thursday, starting off the second day of the annual exploit festival with a quick takedown of Apple’s Safari browser. They then wrapped up the contest with a successful zero-day exploit of Adobe Flash, the second time the Adobe product was toppled.
For their Pwn2Own Safari bug, Chen said Keen Team exploited two vulnerabilities: a heap overflow in the Safari Webkit that gave them arbitrary code execution. That wasn’t enough to pwn the underlying Mavericks version of OS X. Chen said he had to chain together two vulnerabilities to successfully exploit the system.
“We utilized another system vulnerability to bypass the sandbox to get a process running in the user’s context,” he said. The bugs were disclosed to HP’s Zero Day Initiative, which sponsored Pwn2Own and bought all of the vulnerabilities exploited during the contest. Apple was present as well for the disclosure.
“I think the Webkit fix will be relatively easy,” Chen said. “The system-level vulnerability is related to how they designed the application; it may be more difficult for them.”
Chen said the big challenge was bypassing the Safari sandbox because the exposed attack surface is so small compared to Internet Explorer, for example.
As to the relative safety of Mac OS X vs other platforms?
“For Apple, the OS is regarded as very safe and has a very good security architecture,” Chen said. “Even if you have a vulnerability, it’s very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems.”
Here’s what he had to say about Android:
“Google has been very good about security, but vendors write their own code or hardware vendors write their own kernel modules and drivers,” Jiahong said. “Your (research) methodology may not apply to every system.”