A security researcher has discovered a Safari security vulnerability that gives access to the Touch Bar of the MacBook Pro. The vulnerability was first spotted last year and exists within macOS kernel. It was demonstrated at Pwn2Own 2018 that is underway in Vancouver, Canada. Two other Safari security vulnerabilities also showcased at the annual ethical hacking conference.
Samuel Groß of ethical hacker group Phoenhex reached the Pwn2Own conference on its day one to show the vulnerability targeting Apple's Safari browser with a macOS kernel EoP. He used a combination of a JIT optimisation bug in the browser alongside a macOS logic bug to escape the default sandbox and a kernel overwrite to execute his code with a kernel extension to gain the backdoor access, as described in a blog post on the Zero Day Initiative site. Through this workaround, he was able to type a message on the Touch Bar of the MacBook Pro.
Notably, this wasn't the first time when Groß successfully exploited the Safari vulnerability to use Touch Bar as a message screen. He showed this loophole last year as well. However, this time, he earned $65,000 (approximately Rs. 42 lakhs).
On the day two of the Pwn2Own conference, Georgi Geshev, Alex Plaskett, and Fabi Beterke of MWR Labs demonstrated two vulnerabilities to exploit Safari and eventually escape the sandbox. The team utilised a heap buffer underflow in the browser and an uninitialised stack variable in macOS to overcome the sandbox protection and gain code execution. This helps the researchers earn $55,000 (roughly Rs. 36 lakhs).
Similarly, Nick Nick Burnett, Markus Gaasedelen, and Patrick Biernat of Ret2 Systems targeted the Safari browser with a macOS kernel exploit. The team wasn't able to complete its demonstration during the allotted time, albeit it successfully showed the exploit and disclosed the vulnerability to Apple, which is a standard part of the conference.
Alongside the vulnerabilities surfaced at the Pwn2Own conference, researchers' group Checkpoint Research separately claimed that it has discovered a bug in the Mac version of the Google Chrome Remote Desktop extension that allows guest users to use an active session of an admin or other user accounts without requiring the password. "What is expected to happen is that the local user that connects remotely to a macOS machine will receive the desktop of a ‘Guest’. But while this is what appears in the remote machine, the local machine (the Chrome extension) receives the desktop of the other active user session, which in this case is an admin on the system, without ever entering the password," the Check Point Research team writes on its site while explaining the flaw.
Check Point Research reported the bug to Google last month, but the search giant refused to fix the bug by stating that the "login screen is not a security boundary". Therefore, users can retain security on their macOS devices simply by deleting the Chrome Remote Desktop extension.