Slashdot Mirror
Next Pwn2Own Contest Targets IE8, Firefox, iPhone
Windows Secrets writes "After two straight years of taking dead aim at Macbooks and Windows-powered machines, hackers at this year's CanSecWest conference will have shiny new targets: Web browsers and mobile phones. According to CanSecWest organisers, there will be two separate Pwn2Own competitions this year — one pitting hackers against IE8, Firefox 3 and Safari and another targeting Google Android, Apple iPhone, Nokia Symbian and Windows Mobile."
But I thought OS X is inherently more secure, and the perceived security has nothing to do with it being a less tempting target than Windows.
Or at least, that's what everybody tells me...
How much attention does this contest actually get? While there are lots of upstanding people who will participate, I would be surprised if there weren't quite a few talented individuals who will not be participating.
I mean, if you're a blackhat, an exploit for any of these targets is worth a lot more than a laptop or a mobile phone.
The current security situation of the platform is not an XOR matter. It is inherently more secure thanks in large part to tested Unix/BSD bits and very few backwards compatibility hacks that later end up used as vulnerabilities, but at the same time there are vulnerabilities that have not been found because not nearly as many people poke at it as they do Windows. If as many people poked at Mac OS X as they did Windows I'm sure we'd see more vulnerabilities in the wild, but I have no reason to believe there would be as many as we see with Windows.
As for the contest at hand, I'd be shocked if they didn't break it. Browsers are a mess, and this goes for IE8, Firefox, and Safari. They'll most certainly get Safari to trigger a remote code execution situation, the bigger challenge will be finding a local privilege escalation flaw to combine that with to actually own the system.
I know you're trying to be funny but, even the NT kernel is secure. Almost every single exploit will come in via applications, this is true for Mac, Linux/Unix and Windows.
Calling someone a "hater" only means you can not rationally rebut their argument.
Apple has a history of virtually 100% secure operating systems, especially OS X that is going on almost a decade without a single virus or worm.
FTFA:
In 2007, New York-based security researcher Dino Dai Zovi teamed up with Shane Macaulay to hijack a MacBook Pro via a flaw in Apple's QuickTime software. A year later, hacker Charlie Miller needed just two minutes to exploit a Safari bug to win that contest.
fwiw, all the successful attacks I've seen were due to privilege escalation for a local user. The key difference most people are talking about is being secure over a network, from a remote attacker. Viruses don't really even count here, just worms. It's a lot more important to be secure from the 35 million people out on the internet than from the 2 that have an account on your computer.
Windows has been shown to fail miserably, repeatedly, and in epic ways in this respect. OS X has yet to be owned remotely. Correct me if I'm wrong here, I'd like to heat about it.
I work for the Department of Redundancy Department.
how about both the examples in the parent post? One is where you load a malicious webpage when you have quicktime installed (almost everyone) and the other is loading a malicious webpage in safari without needing any extra stuff installed.
Now OS X has been less vulnerable to worms spreading automatically compared to Window
Please provide one example of a worm that spreads automatically on OS X.
Saying "less vulnerable" makes it sound like windows and os x even have some remote similarity. "hundreds of examples" vs "no examples" hardly qualifies you to say "less vulnerable".
Hearing someone say my right shoe is merely "less likely to spontaneously explode" than an unexploded munition from WW2. leads an uninformed observer to question the safety of my shoe. It's deceptive.
I work for the Department of Redundancy Department.