Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own

May 14, 2024

Apple has rolled out security patches to mend a zero-day flaw in its Safari web browser, which was exploited at the Pwn2Own Vancouver hacking competition this year. The vulnerability, known as CVE-2024-27834, was rectified on systems running macOS Monterey and macOS Ventura through enhanced checks. Manfred Paul, in collaboration with Trend Micro's Zero Day Initiative, reported this vulnerability. Paul had used this bug in combination with an integer underflow bug to achieve remote code execution (RCE) and win $60,000 at Pwn2Own.

Apple's advisory released on Monday stated, "An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication." Pointer Authentication Codes (PACs) are employed in the arm64e architecture to identify and protect against unexpected pointer changes in memory. The CPU triggers app crashes following memory corruption incidents related to authentication failures.

While Safari 17.5 is also available for iOS 17.5, iPadOS 17.5, macOS Sonoma 14.5, and visionOS 1.2, Apple has not yet confirmed if the CVE-2024-27834 bug has been patched on these platforms. For those using macOS Ventura or macOS Monterey, Safari can be updated independently of macOS via the System Settings.

At this year's Vancouver hacking contest, security researchers identified and reported 29 zero-days, receiving a total of $1,132,500. Manfred Paul was the top performer, earning $202,500 after demonstrating an RCE zero-day combination against Apple's Safari and a double-tap RCE exploit targeting a weakness in Google Chrome and Microsoft Edge's input validation during the first day of the competition.

On the second day, Paul exploited an out-of-bounds (OOB) write zero-day bug to achieve RCE and bypassed Mozilla Firefox's sandbox through an exposed dangerous function weakness. Google and Mozilla rectified the zero-days exploited at Pwn2Own Vancouver 2024 within days after the contest concluded, with Google releasing patches five days later and Mozilla after just one day.

However, vendors usually do not rush to rectify security flaws exploited at Pwn2Own as Trend Micro's Zero Day Initiative discloses bug details after 90 days. On Monday, Apple also retroactively applied security patches released in March to older iPhones and iPads, rectifying an iOS zero-day that was exploited in attacks.

Latest News

• Cybercriminals Target Outdated LiteSpeed Cache Plugin to Gain Control of WordPress Sites
• China-Linked Cyber Espionage Targets MITRE Network: ROOTROT Webshell Exploited
• Citrix Resolves High-Risk Flaw in NetScaler Servers Similar to Past CitrixBleed Vulnerability
• Critical Vulnerability in Tinyproxy Exposes Over 50,000 Hosts to Risk of Remote Code Execution
• China-Linked Actors Suspected in ArcaneDoor Cyber Espionage Targeting Network Devices