When a bug / exploit / security hole appears in macOS or iOS, Apple usually fixes it quite quickly, in a matter of hours or at most two or three days. However, this does not mean that they do not appear anymore since no system is unbreakable.
At this year’s Pwn2Own conference, developer Samuel Groß has managed to control the MacBook Pro’s Touch Bar via Safari.
They do not have to jump the alarms, in security events are usually held different contests with prizes for those who manage to break the security breach of a device.
With this, the security companies and the companies that own the devices can correct them and thus improve the complete security of the system. In return, those who manage to find the exploit receive a reward.
In the case of Pwn2Own this year, the exploit has been communicated to TippingPoint (the company organizing the event) and these, in turn, will communicate to Apple to be corrected in future updates.
The error itself allows an external agent to control the Touch Bar of the MacBook Pro by accessing the computer through Safari.
The result? Samuel Groß wrote in the Touch Bar remotely that it had been hacked, but apart from writing it, it would allow a third party to control the buttons and controls on the touch bar.
It is a minor security bug really, but it is likely that Apple will fix it in macOS High Sierra 10.13.4, the version that is now in beta and will be released in a few weeks.
Confirmed! @5aelo used a JIT optimization bug in the browser, a macOS logic bug, & a kernel overwrite to execute code to successfully exploit Apple Safari. This chain earned him $65K & 6 points Master of Pwn points. pic.twitter.com/iLfNFnXzzs
— Zero Day Initiative (@thezdi) March 15, 2018
If it were something really serious Apple would release a mandatory security update for all devices, similar to what happened months ago with the security bug in the root password.