As usual, the annual Pwn2Own contest featured many hackers targeting the latest operating systems and browsers from the major vendors, including Apple. Threatpost reports
that the “Keen Team” focused Safari on Thursday and exploited it with relative ease.
The team took home a $40,000 bounty for their efforts on Safari, as well as a share in a $75,000 prize for co-engineering a zero-day Flash exploit. They say they will donate some of their winnings towards charities representing missing Malaysian Airplane passengers.
The group say that for Safari, they used two different exploit vectors. One vulnerability was a heap overflow in WebKit that enabled arbitrary code execution. The team then used this opening to use another exploit to bypass the application sandbox and run code as if it was user privileged.