Safari/MacBook First To Fall At Pwn2Own 2011

recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."

Never been an issue before

No one knows. Up until now the French have never had reason to use the word. You can't pwn someone and surrender at the same time.

Re:Hilarious

Time to move to Lynx on OpenBSD :-).

Re:Simple

[daid303]

The researcher who was going to go after Chrome never showed up...

So... google has the best assassins?

Re:Simple

[filthpickle]

he used google maps to find the place.....and oh, he found it....

I feel a disturbance

[Dunbal]

I feel a disturbance in the Force, as if a million Apple users suddenly cried out in terror, and were pwn3d.

Re:Simple

[drinkypoo]

At some point, you're going to have to accept that OS X just isn't that secure. It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux.

AFAIK only Fedora really uses selinux, everyone else uses AppArmor or nothing. What's sad is that Apple doesn't even have ANY capabilities-based security, not even as good as AppArmor.