Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari/MacBook First To Fall At Pwn2Own 2011

Posted by samzenpus on from the weakest-link dept.

recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."

3 of 492 comments (clear)

  1. It is slowly ramping up by Sycraft-fu · · Score: 5, Interesting

    We've had a few Macs (Macs that were administered by the person, not by IT) at work owned. In one case it was pure user stupidity, a world writable FTP. They couldn't see what was wrong though because "Macs can't get hacked!" In another case it was a virus that seemed to use the speech synthesizer to read ads. Was really funny.

    It is rare, compared to Windows, but growing. The real problem is, as I mentioned, the "But Macs are safe!" people. They really do think that running a Mac absolves them from any security responsibility. I think there are going to be some nasty awakenings and users will have to accept that no matter what you do, you need to have good security practices. A virus scanner is a good idea as well, since it can help catch things if you slip up (and we all slip up).

  2. Re:Simple by Anonymous Coward · · Score: 5, Interesting

    Lies. Several times now they've had to allow more access to the machine before Windows was hacked. One year, before they stopped including Linux, it made it through the entire competition without being hacked despite everyone's best effort.

    At some point, you're going to have to accept that OS X just isn't that secure. It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux. It's 2011, being Unix doesn't magically make you secure.

  3. Re:Chrome was updated by skyfex · · Score: 5, Interesting

    This article seems to indicate so:

    http://www.computerworld.com/s/article/9214002/Safari_IE_hacked_first_at_Pwn2Own

    "But the Safari patches still had a part to play in Vupen winning. If the vulnerability used by Vupen to hack Safari had been fixed in 5.0.4, TippingPoint would not have awarded the $15,000 prize."