Mac computers have always presumed, at least their users, to be immune to viruses, malware, spyaware and other methods to infect computer equipment. This is not the case, as the only reason hackers have targeted Windows rather than OS X / macOS is because of its worldwide market share.
In fact, in recent years, it is increasingly common to see how macOS is affected by this type of software, who wants to get hold of our data, track our activity or even encrypt the contents of our entire computer in exchange for a ransom (ransomware). Speaking of security and macOS, a group of hackers two zero-day exploits at the Safari Zero Day Initiative held in Vancouver.
Zero-day exploits are those that have been present in the application from its final version, without the developer having knowledge of it at any time. Both exploits can be used to escalate privileges in macOS until they gain full control.
The first exploit lets jump in sandbox, a protection that macOS uses to ensure that applications only have access to their own data or any system data that Apple allows. Through this exploit, any information that we have stored on our computer can be accessed through the Safari browser. This exploit has been discovered by Amat Cama and Richard Zhu who have obtained a price of 55.000 dollars.
The second exploit is even more dangerous, since it allows get root and kernel access from a Mac, allowing you to take full control of a team. This second exploit has been discovered by @_niklasb @qwertyoruiopz and @bkth_ with which they have managed to get $ 45.000.
Safari always it has been one of the main access points for hackers. During the past year, during the competition that has been held in Vancouver where these two new exploits have been detected, other hackers detected another exploit that allowed them to take control of the Touch Bar in MacBook Pro, this being the one that demanded the most attention of the other 3 that were also detected in the Apple browser.
This event, sponsored by Trend Micro and called Zero Day Initiave (ZDI), was created to motivate hackers to report vulnerabilities that they usually detect instead of selling them to third parties, although it is the best way to obtain much more money than through these prizes, the amount of which is increased every year.