Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari/MacBook First To Fall At Pwn2Own 2011

Posted by samzenpus on from the weakest-link dept.

recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."

3 of 492 comments (clear)

  1. Re:Simple by clang_jangle · · Score: 5, Informative

    I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

    Exactly. It might have been far more interesting if we'd had a summary that at least made an effort to tell the whole story, rather than just the one-sided flamebait we got...

    --
    Caveat Utilitor
  2. Re:no surprise there by somersault · · Score: 5, Informative

    They had a VAIO with Ubuntu on it in 2008, which nobody hacked. VAIOs are certainly not "cheapo".

    --
    which is totally what she said
  3. Re:Simple by Gadget_Guy · · Score: 5, Informative

    Actually the reason Safari went down first was because it was the first target.

    But they don't all hack the same computer at the same time. Everybody is allocated a 30 minute timeslot with the different computers and they all get attacked at the same time. At least, that is how it was described in previous years.

    When Chaouki Bekrar was bringing down Safari, Stephen Fewer would have been launching his attack on IE8. IE took longer because as Fewer said "I had to chain multiple vulnerabilities to get it to work reliably." Bekrar only spoke of a single vulnerability in his comments. So the Mac was just easier to hack. Certainly all the excuses about hackers wanting the prize of a Macbook more than the others is just unfounded speculation.