Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari/MacBook First To Fall At Pwn2Own 2011

Posted by samzenpus on from the weakest-link dept.

recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."

12 of 492 comments (clear)

  1. Re:Firefox/Linux by Anonymous Coward · · Score: 3, Informative

    Why Pwn2Own doesn't target Linux

  2. Re:Chrome was updated by Nerdfest · · Score: 3, Informative

    I believe Apple released 50+ patches a few minutes before the contest. No special treatment for Google that I'm aware of.

  3. Re:Simple by clang_jangle · · Score: 5, Informative

    I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

    Exactly. It might have been far more interesting if we'd had a summary that at least made an effort to tell the whole story, rather than just the one-sided flamebait we got...

    --
    Caveat Utilitor
  4. Re:no surprise there by somersault · · Score: 5, Informative

    They had a VAIO with Ubuntu on it in 2008, which nobody hacked. VAIOs are certainly not "cheapo".

    --
    which is totally what she said
  5. Re:Simple by C_amiga_fan · · Score: 4, Informative

    >>>Apple is it lately.

    I don't have a problem with Apple.

    I have a problem with the *owners* who act as if owning an "unhackable" Apple was like being married to the most beautiful wife on the planet. ("Why would anybody choose a different partner/ manufacturer???") Apple's personal computers are still..... just PCs. Just like Acuras/Lexuses are just Hondas/Toyotas.

    --
    FREE magazine : http://clarkesworldmagazine.com/prior/
  6. misleading title on /.? never! by risinganger · · Score: 3, Informative

    Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged in which it states that both Safari and IE fell at the first attempt, clearly it was a matter of nothing more than the ordering. Apologies for disturbing all the anti-apple ranting but both systems are weak.
     
    Please feel free to resume posting uninformed comments now.

    1. Re:misleading title on /.? never! by bidule · · Score: 3, Informative

      The successful hack came in spite of a large security patch, Safari 5.0.4, that Apple released ahead of the competition, patching some 60 security holes in the browser. As well as Safari, Apple also patched iOS to version 4.3. This is because, in a change to historic competition rules, the system configuration was frozen last week, so the last-minute fix hasn't prevented exploitation.

      How to make the truth a lie.

      --
      ID: the nose did not occur naturally, how would we wear glasses otherwise? (apologies to Voltaire)
  7. Re:Simple by Gadget_Guy · · Score: 5, Informative

    Actually the reason Safari went down first was because it was the first target.

    But they don't all hack the same computer at the same time. Everybody is allocated a 30 minute timeslot with the different computers and they all get attacked at the same time. At least, that is how it was described in previous years.

    When Chaouki Bekrar was bringing down Safari, Stephen Fewer would have been launching his attack on IE8. IE took longer because as Fewer said "I had to chain multiple vulnerabilities to get it to work reliably." Bekrar only spoke of a single vulnerability in his comments. So the Mac was just easier to hack. Certainly all the excuses about hackers wanting the prize of a Macbook more than the others is just unfounded speculation.

  8. Re:Simple by jo_ham · · Score: 4, Informative

    Yes, exactly like buying Windows Vista Extreme Ultimate Hyper Edition every so often.

    If you have an Intel Mac (which you need for 10.6 and 10.7), then you have owned since *at most* January 2006. In that time you could have had 10.4 (released April 05), 10.5 (released October 07), 10.6 (released August 2009).

    The first one came with the Mac, so if you started on 10.4 you needed to buy 10.5 and 10.6 - so that's $129 for 10.5 and $29 for 10.6. $158 over 4 years is not too bad I think.

    If your Intel Mac came with 10.5 you've only had the option to upgrade once - for $29.

    But yes, I'm sure it's a grand conspiracy to force you to spend "another" $100 (when the price of Lion has yet to be confirmed).

  9. Re:Simple by clang_jangle · · Score: 4, Informative
    Ars has a much better article up. Here's a quote:

    Next to fall was 32-bit Internet Explorer 8 on 64-bit Windows 7 Service Pack 1, beaten by security researcher Stephen Fewer of Harmony Security. Just as with Safari, the first contestant to attack the browser was successful in exploiting it, and just as with Safari, this was demonstrated by running Windows' calculator program and writing a file to the hard disk. Fewer says that the successful exploit required use of three separate vulnerabilities: two to achieve successful code execution within the browser, and then a third to escape Internet Explorer's Protected Mode sandbox.

    So it appears you may be the one whose smugness is unwarranted. :D

    --
    Caveat Utilitor
  10. Re:Simple by Gadget_Guy · · Score: 3, Informative

    Excuses, excuses. Your Mac is an insecure piece of shit.

    That is just juvenile. The Mac is definitely not as magically secure as a lot of fans like to suggest, but it is not an "insecure piece of shit". Apple has been paying more attention to security these days, so the OS and browser will only get more secure as time goes by.

    However, you are correct that the original poster was talking rubbish. Every year the Mac goes down first and every year people come up with the same excuse that the hackers target it because they want the prize more than the others. But as VUPEN's twitter post shows, they were allocated to the Mac first by the organisers. They got IE second, but I guess they must have been too late as someone else got that one.

  11. Re:Simple by LanMan04 · · Score: 4, Informative

    I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize.

    Yeah, seeing as I already have one dollar, I certainly wouldn't want another dollar.

    --
    With the first link, the chain is forged.