Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own

May 14, 2024

Apple has rolled out security patches to mend a zero-day flaw in its Safari web browser, which was exploited at the Pwn2Own Vancouver hacking competition this year. The vulnerability, known as CVE-2024-27834, was rectified on systems running macOS Monterey and macOS Ventura through enhanced checks. Manfred Paul, in collaboration with Trend Micro's Zero Day Initiative, reported this vulnerability. Paul had used this bug in combination with an integer underflow bug to achieve remote code execution (RCE) and win $60,000 at Pwn2Own.

Apple's advisory released on Monday stated, "An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication." Pointer Authentication Codes (PACs) are employed in the arm64e architecture to identify and protect against unexpected pointer changes in memory. The CPU triggers app crashes following memory corruption incidents related to authentication failures.

While Safari 17.5 is also available for iOS 17.5, iPadOS 17.5, macOS Sonoma 14.5, and visionOS 1.2, Apple has not yet confirmed if the CVE-2024-27834 bug has been patched on these platforms. For those using macOS Ventura or macOS Monterey, Safari can be updated independently of macOS via the System Settings.

At this year's Vancouver hacking contest, security researchers identified and reported 29 zero-days, receiving a total of $1,132,500. Manfred Paul was the top performer, earning $202,500 after demonstrating an RCE zero-day combination against Apple's Safari and a double-tap RCE exploit targeting a weakness in Google Chrome and Microsoft Edge's input validation during the first day of the competition.

On the second day, Paul exploited an out-of-bounds (OOB) write zero-day bug to achieve RCE and bypassed Mozilla Firefox's sandbox through an exposed dangerous function weakness. Google and Mozilla rectified the zero-days exploited at Pwn2Own Vancouver 2024 within days after the contest concluded, with Google releasing patches five days later and Mozilla after just one day.

However, vendors usually do not rush to rectify security flaws exploited at Pwn2Own as Trend Micro's Zero Day Initiative discloses bug details after 90 days. On Monday, Apple also retroactively applied security patches released in March to older iPhones and iPads, rectifying an iOS zero-day that was exploited in attacks.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.