Press Release

MWR Labs pwn Safari at Pwn2Own 2018


MWR Labs, the research arm of global consultancy MWR InfoSecurity, has successfully demonstrated attacks against Apple’s Safari at this year’s Pwn2Own competition. MWR Labs leveraged a heap buffer underflow in the browser and an uninitialized stack variable in macOS to exploit Safari and escape the sandbox.

John Fitzpatrick, Managing Director, MWR Infosecurity, commented:

“The team at MWR thrive on challenging themselves to find new and creative vulnerabilities in a world where the bar is continually being raised. Pwn2Own challenges them to do just that; and at the same time to play a part in actively enhancing the security of some of the most commonly used technologies.

“I'm hugely impressed and proud of the team at MWR and know that our clients are reassured to benefit from working with an organisation dedicated to pushing the boundaries of the industry. No doubt the guys are already eyeing up their next target I look forwards to seeing what they hit next.”

Apple have been made aware of the vulnerabilities and are now working to patch them. Once patched, MWR intends to publish advisories in due course on its Labs website in accordance with MWR’s disclosure policy.



About MWR InfoSecurity

Established in 2003, MWR is an independent cyber security consultancy delivering research-led cyber security for clients around the globe.

It provides specialist advice and solutions in all areas of security, from professional and managed services, through to developing commercial and open source security tools. It focuses on working with clients to develop and deliver security programs, tailored to meet the needs of each individual organisation. In a rapidly changing technology landscape, innovation is essential and its ambition to push boundaries sets it apart. Evidence of this approach is well documented on its dedicated research and development platform, MWR Labs.

Central to MWR's philosophy is the desire to deliver high quality cyber security consulting services and unsurpassed levels of support to clients.



mwr exploits safari



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.