Skip to main content

Safari hack allows control of Touch Bar; remote desktop bug provides inadvertent admin access

A security researcher has successfully exploited a Safari vulnerability to take control of the Touch Bar on a MacBook Pro. Samuel Groß demonstrated the exploit at the first day of this year’s Pwn2Own ethical hacking conference …

The final attempt on Day One saw Samuel Groß (5aelo) of phoenhex targeting Apple Safari with a macOS kernel EoP. Last year, his exploit involved a touchbar component, and this year proved to be no different.

He used a combination of a JIT optimization bug in the browser, a macOS logic bug to escape the sandbox, and finally a kernel overwrite to execute code with a kernel extension to successfully exploit Apple Safari. This chain earned him $65,000 and 6 points towards Master of Pwn. Similar to last year, he left a message for us on the touchbar once he was complete.

TippingPoint, the organization behind the conference, pays bounties for exploits so that its security software can protect against them ahead of vendor patches.

Apple has a good track record of timely responses to major security vulnerabilities, and for patching minor ones in regular updates, so we’d expect to see this one patched in an upcoming macOS update.

Separately, Check Point Research has discovered a serious bug in the Mac version of the Google Chrome Remote Desktop Application. This allows someone to gain access to an admin or other user account without requiring the password.

What is expected to happen is that the local user that connects remotely to a macOS machine will receive the desktop of a ‘Guest’. But while this is what appears in the remote machine, the local machine (the Chrome extension) receives the desktop of the other active user session, which in this case is an admin on the system, without ever entering the password:

CPR said that it reported the bug to Google a month ago, but the search giant said that it had no plans to fix it as ‘the login screen is not a security boundary.’


Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications