Safari/MacBook First To Fall At Pwn2Own 2011

recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."

Hilarious

[theolein]

I'm a Mac user and fortunately not a mindless one (honest, promise!). That Apple has been extremely lucky in not being overrun in exploited machines has more to do with the normal target area for exploiters being windows due to marketshare, but Macs have a big enough marketshare these days to make it worthwhile for crackers. I'm pretty sure that the time will come when Macs will be running dubious AV products like most Windows people do.

Re:Simple

[TheRaven64]

I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

The most embarrassing thing for Apple is that OS X has included a mechanism for applying fine-grained sandboxes to applications since 10.5 which Safari doesn't use. It would only be a couple of weeks worth of work for an engineer to create a sandbox policy, test it, and ship it with Safari. For some reason, Apple has decided not to invest this effort.

Re:Simple

[DrXym]

I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize. They're after the prize they know how to obtain and have spent a considerable amount of time researching.

It may well be that other computers fall thereafter and I expect in those cases they fall from people who similarly have knowledge of those respective systems.

So basically it sounds like you're making excuses.

Re:Simple

[mikael_j]

Actually the reason Safari went down first was because it was the first target. Followed by IE8 which also went down. The researcher who was going to go after Chrome never showed up and Firefox is next in line...

Re:Simple

[dotwhynot]

It's called "Pwn2Own": the hackers win the machines they hack.

Everyone wants Macs. They hack them first. The other computers come down minutes later.

First one wins 15k$ cash. You are saying they risk this by not going after the easiest target first because they so desperately want a Mac?

Re:Simple

[BasilBrush]

Slashdotters like such princibles as open source, patent-free technologies, and the right to do as you wish with hardware you buy even without the manufacturer's approval. They hate DRM and any anti-tamper measures.

That should read "Some Slashdotters..." there certainly isn't universal agreement on those. Particularly those who make a living by developing and selling software very often won't agree with that entire list.

Re:Simple

[terjeber]

Eh, let's see if your "logic" holds up. The winner wins $15,000 AND the machine they hack. So, what would a rational person do, hack the easiest in an attempt to win $15,000 AND a $2,000 laptop, or hack the hardest in an effort to (most likely) ONLY win the $2,000 laptop.

I am certain that a Mac fanboi would go straight for the "un-hackable" Apple iron, any rational person would go straight for the box he figured he could hack the fastest though. I think these guys are relatively rational.