Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari/MacBook First To Fall At Pwn2Own 2011

Posted by samzenpus on from the weakest-link dept.

recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."

11 of 492 comments (clear)

  1. Firefox/Linux by sakdoctor · · Score: 4, Interesting

    Firefox and Linux are under represented in pwn2own as usual.
    I'm not complacent, just saying it's nice.

    1. Re:Firefox/Linux by Anonymous Coward · · Score: 4, Interesting

      Quoting from the link: "Linux is not an operating system that has widespread use with any one particular distribution, flavor or configuration," Portnoy said. "In general Linux is still a server-based operating system, people do use it on the desktop, but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share"

      To me this like a combination of two classic arguments: one that Linux doesn't have enough market share to warrant our attention, two that it given the diversity of Linux, which is one of its security strong points, it might be too difficult to crack it and even if we did, we can't make as big of a media spectacle about it. If I recall correctly, Ubuntu was included in this test a year or two ago and was the only one that was not cracked.

  2. It is slowly ramping up by Sycraft-fu · · Score: 5, Interesting

    We've had a few Macs (Macs that were administered by the person, not by IT) at work owned. In one case it was pure user stupidity, a world writable FTP. They couldn't see what was wrong though because "Macs can't get hacked!" In another case it was a virus that seemed to use the speech synthesizer to read ads. Was really funny.

    It is rare, compared to Windows, but growing. The real problem is, as I mentioned, the "But Macs are safe!" people. They really do think that running a Mac absolves them from any security responsibility. I think there are going to be some nasty awakenings and users will have to accept that no matter what you do, you need to have good security practices. A virus scanner is a good idea as well, since it can help catch things if you slip up (and we all slip up).

    1. Re:It is slowly ramping up by coopaq · · Score: 1, Interesting

      I know. That argument is annoying. If they would just say they like the machine build quality, Unix like underpinnings and user interface better it would make it easier to listen to them.

      As for your antivirus comment. Well you must be a sys admin to love such crapware.

      Seriously in the middle of doing an install of Fedora 14 on my corporate laptop since McAfee is sucking the IO life out of my Windows install. I can jump through hoops to sometimes avoid it, but is company policy. 100000 files in my project and doing a simple copy to an external esata drive takes forever with McAfee cock blocking IO bullshit.

      No such trouble or company gripes with Linux.

  3. Holding back exploits to score quick victories? by jo_ham · · Score: 4, Interesting

    Given the financial incentives involved here (for example, the guy who gave up an almost certain $15,000 because he reported a bug to Google rather than keep it under wraps until he could clean up at Pwn2Own, how many bugs on all of the major platforms are kept "secret" to be used in contests like this?

    I understand the nature of the event is to demonstrate the issues of security and code vulnerability, but sitting on exploits is surely counterproductive here?

  4. Re:Simple by Anonymous Coward · · Score: 5, Interesting

    Lies. Several times now they've had to allow more access to the machine before Windows was hacked. One year, before they stopped including Linux, it made it through the entire competition without being hacked despite everyone's best effort.

    At some point, you're going to have to accept that OS X just isn't that secure. It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux. It's 2011, being Unix doesn't magically make you secure.

  5. Re:Simple by SuricouRaven · · Score: 4, Interesting

    Ideological differences. Slashdotters like such princibles as open source, patent-free technologies, and the right to do as you wish with hardware you buy even without the manufacturer's approval. They hate DRM and any anti-tamper measures. This means they will be in conflict with Apple, in the same way they are in conflict with Microsoft. Both companies behave in ways (Like requiring code-signing to run any software on an iPod/phone/pad) which are in very strong opposition to the openness and right to tinker that most geeks love.

  6. Re:Simple by andyr86 · · Score: 3, Interesting

    If you look at the article both exploits took roughly 6 man weeks to find and setup. Safari's took 2 weeks for 3 researchers and IE8s took 6 weeks for 1. They are both as bad as each other really.

  7. Re:Simple by Savage-Rabbit · · Score: 3, Interesting

    >>>OS X 10.6 was only $30

    That was a sale price. The previous 10.x releases (and future release) cost $130 plus $10 shipping. It really was like buying a whole new Windows OS every 1-2 years.

    Which is fine if you have the money to spend.
    I don't.

    I know people who spend more than $500 on their gaming rig at way lower intervals than 10 years. The average person will spend more than $500 on cellphones over 10 years. Never mind the premium in fuel bills alone that people pay for an SUV or even a BMW or a slightly souped-up hatchback. I can afford to upgrade OS X every two years and IMHO I get my money's worth.

    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
  8. Re:Chrome was updated by skyfex · · Score: 5, Interesting

    This article seems to indicate so:

    http://www.computerworld.com/s/article/9214002/Safari_IE_hacked_first_at_Pwn2Own

    "But the Safari patches still had a part to play in Vupen winning. If the vulnerability used by Vupen to hack Safari had been fixed in 5.0.4, TippingPoint would not have awarded the $15,000 prize."

  9. Re:Chrome was updated by inpher · · Score: 4, Interesting

    Chrome got to use the built in auto mechanism just before the contest started (source 1, source 2, source 3) which is probably why the contestant registered to try to beat Chrome did choose not to try.