Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari/MacBook First To Fall At Pwn2Own 2011

Posted by samzenpus on from the weakest-link dept.

recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."

7 of 492 comments (clear)

  1. Re:Simple by clang_jangle · · Score: 5, Informative

    I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

    Exactly. It might have been far more interesting if we'd had a summary that at least made an effort to tell the whole story, rather than just the one-sided flamebait we got...

    --
    Caveat Utilitor
  2. Re:no surprise there by somersault · · Score: 5, Informative

    They had a VAIO with Ubuntu on it in 2008, which nobody hacked. VAIOs are certainly not "cheapo".

    --
    which is totally what she said
  3. Re:Simple by C_amiga_fan · · Score: 4, Informative

    >>>Apple is it lately.

    I don't have a problem with Apple.

    I have a problem with the *owners* who act as if owning an "unhackable" Apple was like being married to the most beautiful wife on the planet. ("Why would anybody choose a different partner/ manufacturer???") Apple's personal computers are still..... just PCs. Just like Acuras/Lexuses are just Hondas/Toyotas.

    --
    FREE magazine : http://clarkesworldmagazine.com/prior/
  4. Re:Simple by Gadget_Guy · · Score: 5, Informative

    Actually the reason Safari went down first was because it was the first target.

    But they don't all hack the same computer at the same time. Everybody is allocated a 30 minute timeslot with the different computers and they all get attacked at the same time. At least, that is how it was described in previous years.

    When Chaouki Bekrar was bringing down Safari, Stephen Fewer would have been launching his attack on IE8. IE took longer because as Fewer said "I had to chain multiple vulnerabilities to get it to work reliably." Bekrar only spoke of a single vulnerability in his comments. So the Mac was just easier to hack. Certainly all the excuses about hackers wanting the prize of a Macbook more than the others is just unfounded speculation.

  5. Re:Simple by jo_ham · · Score: 4, Informative

    Yes, exactly like buying Windows Vista Extreme Ultimate Hyper Edition every so often.

    If you have an Intel Mac (which you need for 10.6 and 10.7), then you have owned since *at most* January 2006. In that time you could have had 10.4 (released April 05), 10.5 (released October 07), 10.6 (released August 2009).

    The first one came with the Mac, so if you started on 10.4 you needed to buy 10.5 and 10.6 - so that's $129 for 10.5 and $29 for 10.6. $158 over 4 years is not too bad I think.

    If your Intel Mac came with 10.5 you've only had the option to upgrade once - for $29.

    But yes, I'm sure it's a grand conspiracy to force you to spend "another" $100 (when the price of Lion has yet to be confirmed).

  6. Re:Simple by clang_jangle · · Score: 4, Informative
    Ars has a much better article up. Here's a quote:

    Next to fall was 32-bit Internet Explorer 8 on 64-bit Windows 7 Service Pack 1, beaten by security researcher Stephen Fewer of Harmony Security. Just as with Safari, the first contestant to attack the browser was successful in exploiting it, and just as with Safari, this was demonstrated by running Windows' calculator program and writing a file to the hard disk. Fewer says that the successful exploit required use of three separate vulnerabilities: two to achieve successful code execution within the browser, and then a third to escape Internet Explorer's Protected Mode sandbox.

    So it appears you may be the one whose smugness is unwarranted. :D

    --
    Caveat Utilitor
  7. Re:Simple by LanMan04 · · Score: 4, Informative

    I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize.

    Yeah, seeing as I already have one dollar, I certainly wouldn't want another dollar.

    --
    With the first link, the chain is forged.