MWR Labs, the research arm of global consultancy MWR InfoSecurity, has successfully demonstrated attacks against Apple’s Safari at this year’s Pwn2Own competition. MWR Labs leveraged a heap buffer underflow in the browser and an uninitialized stack variable in macOS to exploit Safari and escape the sandbox.
John Fitzpatrick, Managing Director, MWR Infosecurity, commented:
“The team at MWR thrive on challenging themselves to find new and creative vulnerabilities in a world where the bar is continually being raised. Pwn2Own challenges them to do just that; and at the same time to play a part in actively enhancing the security of some of the most commonly used technologies.
“I'm hugely impressed and proud of the team at MWR and know that our clients are reassured to benefit from working with an organisation dedicated to pushing the boundaries of the industry. No doubt the guys are already eyeing up their next target I look forwards to seeing what they hit next.”
Apple have been made aware of the vulnerabilities and are now working to patch them. Once patched, MWR intends to publish advisories in due course on its Labs website in accordance with MWR’s disclosure policy.
Established in 2003, MWR is an independent cyber security consultancy delivering research-led cyber security for clients around the globe.
It provides specialist advice and solutions in all areas of security, from professional and managed services, through to developing commercial and open source security tools. It focuses on working with clients to develop and deliver security programs, tailored to meet the needs of each individual organisation. In a rapidly changing technology landscape, innovation is essential and its ambition to push boundaries sets it apart. Evidence of this approach is well documented on its dedicated research and development platform, MWR Labs.
Central to MWR's philosophy is the desire to deliver high quality cyber security consulting services and unsurpassed levels of support to clients.