Cybersecurity researchers have found two new zero-day Safari exploits!
First, it will allow hackers to escalate their privileges to the point that they were able to completely take over your Mac, which is critical!
This first exploit works because it can escape the macOS protection sandbox. This malicious exploit can escape the browser and the sandbox by using an integer overflow in the browser and a heap overflow to escape the sandbox. The cyber attack begins can be done through a brute force technique that facilitates the sandbox escape, meaning that the code would fail then try again until it succeeded.
The second exploit is even more dangerous than the previous one because it can gain both root and kernel access to the targeted Mac. Cybersecurity researchers managed to demonstrate a complete system compromise.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
Their method was the following:
By accessing a specially crafted website, they triggered a JIT bug followed by a heap out-of-bounds (OOB) read that was used twice; then they pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug.
The only good news here is that Apple already knows of one of the bugs! Everyone must know that Safari is a common access point for hackers. For example it the past year researchers saw one zero-day Safari exploit used to take control of the Touch Bar on the MacBook Pro, and another three more Safari-based exploits.
Cybersecurity researchers will always provide us with exclusive information about previously un-patched vulnerabilities they have discovered, so stay tuned!. We always do background information check in order to validate the identity of the researcher strictly for ethical oversight. Our internal researchers and analysts validate every issue in our security labs before delivering the info to you!
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.