Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari/MacBook First To Fall At Pwn2Own 2011

Posted by samzenpus on from the weakest-link dept.

recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."

80 of 492 comments (clear)

  1. Simple by Anonymous Coward · · Score: 2, Insightful

    It's called "Pwn2Own": the hackers win the machines they hack.

    Everyone wants Macs. They hack them first. The other computers come down minutes later.

    1. Re:Simple by TheRaven64 · · Score: 5, Insightful

      I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

      The most embarrassing thing for Apple is that OS X has included a mechanism for applying fine-grained sandboxes to applications since 10.5 which Safari doesn't use. It would only be a couple of weeks worth of work for an engineer to create a sandbox policy, test it, and ship it with Safari. For some reason, Apple has decided not to invest this effort.

      --
      I am TheRaven on Soylent News
    2. Re:Simple by DrXym · · Score: 5, Insightful
      I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize. They're after the prize they know how to obtain and have spent a considerable amount of time researching.

      It may well be that other computers fall thereafter and I expect in those cases they fall from people who similarly have knowledge of those respective systems.

      So basically it sounds like you're making excuses.

    3. Re:Simple by clang_jangle · · Score: 5, Informative

      I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

      Exactly. It might have been far more interesting if we'd had a summary that at least made an effort to tell the whole story, rather than just the one-sided flamebait we got...

      --
      Caveat Utilitor
    4. Re:Simple by Anonymous Coward · · Score: 5, Interesting

      Lies. Several times now they've had to allow more access to the machine before Windows was hacked. One year, before they stopped including Linux, it made it through the entire competition without being hacked despite everyone's best effort.

      At some point, you're going to have to accept that OS X just isn't that secure. It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux. It's 2011, being Unix doesn't magically make you secure.

    5. Re:Simple by mikael_j · · Score: 5, Insightful

      Actually the reason Safari went down first was because it was the first target. Followed by IE8 which also went down. The researcher who was going to go after Chrome never showed up and Firefox is next in line...

      --
      Greylisting is to SMTP as NAT is to IPv4
    6. Re:Simple by V!NCENT · · Score: 2

      Where's the Mandatory access control feature on the iMac? Will you help me find it for me please? I'm thinking about making the switch because NT6.1 doesn't have it.

      --
      Here be signatures
    7. Re:Simple by daid303 · · Score: 4, Funny

      The researcher who was going to go after Chrome never showed up...

      So... google has the best assassins?

    8. Re:Simple by aliquis · · Score: 2

      Mac reta... err.. users always got an excuse!

      I doubt it's got much to do with everyone actually wanting a mac but rather more than people either shooting for the mac because of the fame and extra publicity or because of Apples (and their users) arrogance.

    9. Re:Simple by N1AK · · Score: 3, Insightful

      What's that rumbling sound I hear? Ach mein gott, it's the stampede of anti-apple trolls with their one-dimensional stereotypes, flaming straw men, and tired, old memes!

      Wow. Using 'straw men' in your creation of a straw man argument, my hypocrisy detector nearly blew a fuse.

    10. Re:Simple by C_amiga_fan · · Score: 4, Informative

      >>>Apple is it lately.

      I don't have a problem with Apple.

      I have a problem with the *owners* who act as if owning an "unhackable" Apple was like being married to the most beautiful wife on the planet. ("Why would anybody choose a different partner/ manufacturer???") Apple's personal computers are still..... just PCs. Just like Acuras/Lexuses are just Hondas/Toyotas.

      --
      FREE magazine : http://clarkesworldmagazine.com/prior/
    11. Re:Simple by MrHanky · · Score: 2

      Excusing Apple from being hacked is by definition (2) an apology. Being emotional (something which is only your imaginative interpretation of my rather terse writing, btw) does not negate being rational, on the other hand. You're attacking my comments with false logic and false propositions. Good work for someone pretending to be the rational one.

    12. Re:Simple by dotwhynot · · Score: 5, Insightful

      It's called "Pwn2Own": the hackers win the machines they hack.

      Everyone wants Macs. They hack them first. The other computers come down minutes later.

      First one wins 15k$ cash. You are saying they risk this by not going after the easiest target first because they so desperately want a Mac?

    13. Re:Simple by filthpickle · · Score: 4, Funny

      he used google maps to find the place.....and oh, he found it....

    14. Re:Simple by SuricouRaven · · Score: 4, Interesting

      Ideological differences. Slashdotters like such princibles as open source, patent-free technologies, and the right to do as you wish with hardware you buy even without the manufacturer's approval. They hate DRM and any anti-tamper measures. This means they will be in conflict with Apple, in the same way they are in conflict with Microsoft. Both companies behave in ways (Like requiring code-signing to run any software on an iPod/phone/pad) which are in very strong opposition to the openness and right to tinker that most geeks love.

    15. Re:Simple by Dunbal · · Score: 4, Insightful

      But you have to understand the psychological aspect. I mean if you had paid twice as much for a brand and a look, found out that for your money you weren't getting much else, and watched the software you thought unhackable fail so miserably when you thought you were paying for security, you would be in denial too and rush to their defense. It's not Apple he is defending, it's his own feeling of foolishness that he's trying to cover up.

      --
      Seven puppies were harmed during the making of this post.
    16. Re:Simple by clang_jangle · · Score: 2

      Yes I understand all that, but the thing that trips me up is that I always hope that these discussions will be somewhat rational and fact-based. Whenever Apple comes up it's as if most people here completely lose their intelligence through emotional overload or something. Between the haters and the fanbois one can hardly participate without being assigned a "side" and painted as a one-dimensional stereotype. Factual observations expressed with attempted humor get modded "troll", trolls get modded "insightful"... Reminds me of that original Star Trek episode about Landrew and the Red Hour . "You are not of the body!".

      --
      Caveat Utilitor
    17. Re:Simple by andydread · · Score: 2

      wow thats a different apologist twist on the issue that Macs are the least secure operating systems and get hacked first. wow.

    18. Re:Simple by BasilBrush · · Score: 5, Insightful

      Slashdotters like such princibles as open source, patent-free technologies, and the right to do as you wish with hardware you buy even without the manufacturer's approval. They hate DRM and any anti-tamper measures.

      That should read "Some Slashdotters..." there certainly isn't universal agreement on those. Particularly those who make a living by developing and selling software very often won't agree with that entire list.

    19. Re:Simple by Gadget_Guy · · Score: 5, Informative

      Actually the reason Safari went down first was because it was the first target.

      But they don't all hack the same computer at the same time. Everybody is allocated a 30 minute timeslot with the different computers and they all get attacked at the same time. At least, that is how it was described in previous years.

      When Chaouki Bekrar was bringing down Safari, Stephen Fewer would have been launching his attack on IE8. IE took longer because as Fewer said "I had to chain multiple vulnerabilities to get it to work reliably." Bekrar only spoke of a single vulnerability in his comments. So the Mac was just easier to hack. Certainly all the excuses about hackers wanting the prize of a Macbook more than the others is just unfounded speculation.

    20. Re:Simple by antifoidulus · · Score: 2

      It looks like Apple is starting to walk down the same road that Microsoft has gone down years before, namely where the left hand either doesn't know what the right one is doing or if it does is actively opposed to it. From what little info we do have it seemed Steve kept a pretty tight ship, the various groups in Apple were relatively lock step. However with the increase in the number of products they develop and probably his failing health, he started to lose control and now you are starting to see the results of internal grudges manifesting themselves in the end product. I doubt that the technical limitations of making Safari run in a sandbox are insurmountable, but it could very well be that the Safari group doesn't want to have to submit to the security groups "demands". The various managers are starting to see real empire-building opportunity and are going to do anything they can to cash in on the power vacuum. It remains to be seen if Tim Cook can run the company the same way Steve did.

      --
      Monstar L
    21. Re:Simple by terjeber · · Score: 5, Insightful

      Eh, let's see if your "logic" holds up. The winner wins $15,000 AND the machine they hack. So, what would a rational person do, hack the easiest in an attempt to win $15,000 AND a $2,000 laptop, or hack the hardest in an effort to (most likely) ONLY win the $2,000 laptop.

      I am certain that a Mac fanboi would go straight for the "un-hackable" Apple iron, any rational person would go straight for the box he figured he could hack the fastest though. I think these guys are relatively rational.

    22. Re:Simple by jo_ham · · Score: 4, Informative

      Yes, exactly like buying Windows Vista Extreme Ultimate Hyper Edition every so often.

      If you have an Intel Mac (which you need for 10.6 and 10.7), then you have owned since *at most* January 2006. In that time you could have had 10.4 (released April 05), 10.5 (released October 07), 10.6 (released August 2009).

      The first one came with the Mac, so if you started on 10.4 you needed to buy 10.5 and 10.6 - so that's $129 for 10.5 and $29 for 10.6. $158 over 4 years is not too bad I think.

      If your Intel Mac came with 10.5 you've only had the option to upgrade once - for $29.

      But yes, I'm sure it's a grand conspiracy to force you to spend "another" $100 (when the price of Lion has yet to be confirmed).

    23. Re:Simple by jo_ham · · Score: 2

      The bug they exploited was in Webkit, so I assume it also exists in Chrome too (and thus in Safari and Chrome on all platforms they run on) but I'm not sure exactly whether another vulnerability was also used in the OS X version, since it launched calculator and wrote a file to the hard drive.

    24. Re:Simple by andyr86 · · Score: 3, Interesting

      If you look at the article both exploits took roughly 6 man weeks to find and setup. Safari's took 2 weeks for 3 researchers and IE8s took 6 weeks for 1. They are both as bad as each other really.

    25. Re:Simple by clang_jangle · · Score: 4, Informative
      Ars has a much better article up. Here's a quote:

      Next to fall was 32-bit Internet Explorer 8 on 64-bit Windows 7 Service Pack 1, beaten by security researcher Stephen Fewer of Harmony Security. Just as with Safari, the first contestant to attack the browser was successful in exploiting it, and just as with Safari, this was demonstrated by running Windows' calculator program and writing a file to the hard disk. Fewer says that the successful exploit required use of three separate vulnerabilities: two to achieve successful code execution within the browser, and then a third to escape Internet Explorer's Protected Mode sandbox.

      So it appears you may be the one whose smugness is unwarranted. :D

      --
      Caveat Utilitor
    26. Re:Simple by Savage-Rabbit · · Score: 3, Interesting

      >>>OS X 10.6 was only $30

      That was a sale price. The previous 10.x releases (and future release) cost $130 plus $10 shipping. It really was like buying a whole new Windows OS every 1-2 years.

      Which is fine if you have the money to spend.
      I don't.

      I know people who spend more than $500 on their gaming rig at way lower intervals than 10 years. The average person will spend more than $500 on cellphones over 10 years. Never mind the premium in fuel bills alone that people pay for an SUV or even a BMW or a slightly souped-up hatchback. I can afford to upgrade OS X every two years and IMHO I get my money's worth.

      --
      Only to idiots, are orders laws.
      -- Henning von Tresckow
    27. Re:Simple by Anonymous Coward · · Score: 3, Insightful

      If you read the ZDNet summary, you'd notice that the same group had an equivalent working exploit for Win7/IE8, but they chose to concentrate on hacking the Mac first. It's a sensible move since the Mac has roughly double the resale value and makes a better test machine since it can run OS X, Windows, Linux or almost anything else.

      So claiming that "OS X is the first to be hacked" is very disingenuous since it implies that it's the easiest to hack. In reality, all the exploits are prepared ahead of time and we can't know which one was the most difficult to achieve. It sounds like none of the platforms survived being hacked, so the only thing we can conclude is that they're all flawed and every computer is vulnerable. The competition gives no useful information on which OS is best in this category, but only that they're all substandard.

      The GP post, to me, is not making excuses for Apple which, like every other vendor, failed the tests. But what it's rightly pointing out is that the story's headline is sensationalized and designed to imply a conclusion that's false.

    28. Re:Simple by BasilBrush · · Score: 4, Insightful

      The whole "which fell first" thing makes a huge assumption that simply isn't true. The assumption that all hardware/software combinations are available at the same time to all participants.

      For example, whilst Safari and IE fell on day one, Firefox isn't scheduled to be available to anyone to try to hack till day two. Thus you can't say Safari is somehow less than Firefox.

      Likewise you can't say that Safari is less than IE. It may well be that the person with a working exploit for Safari got a time slot to try it before the person with a working exploit for IE. After all, it's not as if they are actually finding the exploits at the competition. They're exploits they've spent weeks preparing.

    29. Re:Simple by Gadget_Guy · · Score: 3, Informative

      Excuses, excuses. Your Mac is an insecure piece of shit.

      That is just juvenile. The Mac is definitely not as magically secure as a lot of fans like to suggest, but it is not an "insecure piece of shit". Apple has been paying more attention to security these days, so the OS and browser will only get more secure as time goes by.

      However, you are correct that the original poster was talking rubbish. Every year the Mac goes down first and every year people come up with the same excuse that the hackers target it because they want the prize more than the others. But as VUPEN's twitter post shows, they were allocated to the Mac first by the organisers. They got IE second, but I guess they must have been too late as someone else got that one.

    30. Re:Simple by GrBear · · Score: 2

      Just like Acuras/Lexuses are just Hondas/Toyotas.

      Want to piss of an Infinity owner when he asks what you think of his vehicle? Say, "Meh, it's still a Datsun"

    31. Re:Simple by TheRaven64 · · Score: 2

      Given that the prize was $15,000 plus the machine, I'm not sure that the value of the machine had much to do with it. However, from the Ars Technica article, it sounds like they had one machine open for hacking at a time. First the Mac, then the Windows / IE machine. Then the Chrome / Windows machine, which no one tried to attack (one person found an exploitable hole, but sold it to Google for $1,337 instead of entering it into the contest). FireFox on Windows is up tomorrow.

      Note that the Pwn2Own contest explicitly disallows the use of previously disclosed exploits, so it's entirely possible that a browser with 1,000 known holes would not end up being pwn'd according to the rules of the contest. That doesn't mean that you'd want to actually use it though...

      --
      I am TheRaven on Soylent News
    32. Re:Simple by BrokenHalo · · Score: 2
      ...

      but the thing that trips me up is that I always hope that these discussions will be somewhat rational and fact-based. Whenever Apple comes up it's as if most people here completely lose their intelligence

      Welcome to the club. Macs are just another expression of Unix, which is why I find this old 2nd-hand MacBook so much more useful than my more powerful desktop Linux machines. Some of us have other things to do than fight wars along ideological fronts.

      This doesn't mean I happen to love Apple's business model or Steve Jobs personally. Richard Stallman doubtless has his personality defects too, as most certainly does Steve Ballmer. Sooner or later, we have to come up with realistic boundaries around what we are prepared to work with. In my case those exclude Microsoft OSs simply because they give me a headache and make me cross. A Mac box is enough like other unices for me to be relatively comfortable with it.

    33. Re:Simple by Wovel · · Score: 2

      No one excused them, but the story is misleading. If any of the other hardware was more desirable, it would have fallen first. It was not harder to hack the other platforms, they were just lower in priority...

    34. Re:Simple by Wovel · · Score: 4, Insightful

      Of course Apple has done more to eliminate DRM from Music than everyone on Slashdot combined.

      Weird..

    35. Re:Simple by drinkypoo · · Score: 3, Funny

      At some point, you're going to have to accept that OS X just isn't that secure. It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux.

      AFAIK only Fedora really uses selinux, everyone else uses AppArmor or nothing. What's sad is that Apple doesn't even have ANY capabilities-based security, not even as good as AppArmor.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    36. Re:Simple by Raenex · · Score: 2

      It would only be a couple of weeks worth of work for an engineer to create a sandbox policy, test it, and ship it with Safari.

      Are you a program manager, by chance?

    37. Re:Simple by LanMan04 · · Score: 4, Informative

      I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize.

      Yeah, seeing as I already have one dollar, I certainly wouldn't want another dollar.

      --
      With the first link, the chain is forged.
    38. Re:Simple by lgw · · Score: 2

      Apple is the computer of the trendy - you know, the people who snub nerds in high school? Is there anything more to be said about this?

      --
      Socialism: a lie told by totalitarians and believed by fools.
    39. Re:Simple by Duradin · · Score: 2

      He must be a pretty fast typist to type up that malicious web site in a few seconds.

    40. Re:Simple by sjwaste · · Score: 3, Insightful

      It's not like Apple is pursuing DRM and anti-tamper for a blind purpose. Their goal is to create a positive experience for the average user, free of the shit that "Windows People" complain about. Part of that strategy is to reduce malware by certifying software, maintaining quality by screening applications, and so on. They also have minimized the UI into what is commonly used, and either eliminating or burying the rest. It makes sense for people that aren't you or me.

      I happen to like my Macbook. The battery life is ridiculous, and the OS is not locked down. I can do whatever the hell I want with it, with everything that's hiding under the hood. But at the same time, I could hand this to my parents, my sister, anyone else and they'd figure out how to use it.

      Apple designs products for the majority. Hobbyists, tinkerers and geeks are a small minority. It's been a great business decision if you look at their stock price. I don't get why a lot of people here just don't understand that. Being a geek doesn't excuse you from having an understanding of basic business principles, at least not if you want to engage in some sort of discussion that touches upon that. If you don't want to buy Apple products because you do not wish to pay a premium for a streamlined experience packaged in a shiny wrapper, that's fine, but please don't assert that your way is the right way. Clearly, Apple has carved out a niche in the market for the experience that they market. And I'm not even talking about the "feeling cool because of the Apple logo" experience. I'm talking about the streamlining and ease of use. I'd give this shit to my grandmother. Turns out, Ubuntu might be too complicated for her.

    41. Re:Simple by jbolden · · Score: 2

      I understand why there are pursuing DRM. Code signing with a one time opt out, which is pretty close to what we have, isn't bad. That being said though if you are ideologically opposed to closed hardware or DRM there is good reason to oppose Apple. You are taking as a given what offers people the best immediate experience is "the best". Heroin would beat Apple every time in terms of user experience but no one is going argue Heroin is a product we should encourage people to take.

      So I think disliking Apple for creating a more locked down world is legitimate. The emotionalism that causes people to distort their arguments is not legitimate.

    42. Re:Simple by Kalriath · · Score: 2

      It's not a path - they'd be used to demonstrate two distinct actions. Running calc to demonstrate remote process execution, and writing the file to demonstrate sandbox escaping.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    43. Re:Simple by drsmithy · · Score: 2

      Lets see from 1997 through 2002 all the way up to 10.1.5 the upgrades were free.

      OS X10.0 came out in 2001 and cost $129.
      OS X 10.1 came out in 2001 and cost $129 unless you already owned 10.0.
      OS X 10.2 came out in 2002 and cost $129.
      OS X 10.3 came out in 2003 and cost $129.
      OS X 10.4 came out in 2005 and cost $129.
      OS X 10.5 came out in 2007 and cost $129. It was the last to support PPC systems.
      OS X 10.6 came out in 2009 and cost $29 because you wouldn't have a machine to run it if you didn't already have 10.5.

      See the pattern ? 10.7 is pretty much guaranteed to cost $129 (maybe they'll drop it to $99).

    44. Re:Simple by drsmithy · · Score: 2

      Rhapsody and Kodiak came out in 1997 and 2000 respectively

      And neither of them were remotely ready to public consumption. Heck, 10.0 barely was (as tacitly admitted by the free 10.1 upgrade).

      10.1 was a free upgrade (I think you had to pay like $10 for media) for 10.0.

      Yes. Just like I said.

      10.7 will likely cost $129 I don't disagree. My point was that it ain't $100 a year. You could have ridden OSX for many years without paying for the OS. After 10.2 you are on a $129 / 2 year cycle.

      Well, it's basically impossible to average it out across the last decade, because somewhere around 2009 you had to buy a whole new machine to get the updated OS.

      However, from 2001-2007 (10.0 - 10.5), you would have averaged $107.50/yr (5*129/6). Assuming 10.7 hits this year at $129, you would have paid about $40/yr since buying your new Mac.

      And frankly I loved when the OS was improving rapidly. It was great with 10.2 where I was a decade ahead of windows.

      No you weren't. The only meaningful capability OS X had over Windows was its display system, and that discrepancy ended in 2006, with Vista. Even during that time, Windows was superior in most ways, in particular it had much better and more mature low level kernel optimisations, especially on SMP systems. Most of the low-level improvements Apple were making to OS X in the 2001-2007 timeframe, Microsoft had been making to NT in the 1996-2003 timeframe (people seem to forget Apple were ~7 years behind in releasing their "next generation OS", though that did have the benefit of being able to implement features like Rosetta and Classic Mode, that were impractical when Microsoft was doing its transition from DOS-based Windows). This is one of the big reasons OS X was so dismally slow, even on cutting edge hardware, for about the first 5 years of its existence, and why performance was improving with each release (kinda hard to go backwards from where they were).

      Today they're reasonably equal, at least on the client side. On the server side, Windows is well ahead with features like Hyper-V, Terminal Services, Active Directory/Group Policy, and DFS[-R]. But Apple were never really interested in that part of the market anyway, so that's not especially surprising.

    45. Re:Simple by drsmithy · · Score: 2

      I don't know what "ready for public consumption" was.

      Rhapsody was a developer beta. Kodiak was a public beta. 10.0 wasn't much better than Kodiak.

      As far as the broad public, that is Mac users. They liked it.

      No they didn't. Early versions of OS X were shunned due its atrocious performance and (to many) inferior - albeit pretty - UI. Heck, Apple themselves didn't even use OS X as the default option on their systems until the beginning of 2002, and the first version of OS X that wasn't borderline-unusably slow was 10.2 (it was still slow, but at least not frustrating to use).

      OS-8 was an advanced OS but things hadn't improved for a long time and OS-9 wasn't much better.

      MacOS Classic, even by version 9, was only marginally more advanced than Windows 3.1.

      Yes but in reality I'm a pretty good case study. I ended up buying 10.2 and 10.6.

      Most Mac users I know have bought every OS X upgrade since release (even the ones that stuck with MacOS 9 until ca. 2002). Snow Leopard has been the only one they've hesistated with (though nearly all eventually cracked).

      This was not helped by Apple's (typical) bad attitude to legacy support, with older versions of OS X quickly being completely deprecated and unsupported, not to mention incapable of running newer versions of apps and games.

      no 4*129/6. You can't charge for 10.0 and 10.1.

      10.0 or 10.1 - $129
      10.2 - $129
      10.3 - $129
      10.4 - $129
      10.5 - $129

      That's 5x$129, though I suppose in hindsight you could reduce it to four because any Mac that was running the original 10.0 would be unsupported (not to mention unusable) past 10.4.

      So it's 4x$129 plus a new Mac. :)

      a) You agree with the display system. Though honestly I'm not sure they really caught up with Quartz extreme in terms of offloading graphics.

      It exceeded it in capabilities. Though, as with OS X, those are somewhat underutilised.

      b) I had the equivalent of power shell with OS shells, and frankly better. With Applescript I had application level easy scripting.

      Applescript is indeed nice, though I would argue that few use it.

      c) I had movie integration features, i.e. quicktime as a low level component.

      I'm not sure exactly what you mean here, but Windows has had its Quicktime equivalent built-in since Windows 95.

      d) I had "virtual folders" i.e. aliases and softlinks.

      Windows has had shortcuts since Windows 95.

      e) Dock used applications not windows, per windows 7

      And Windows 7 took a huge step backwards in terms of UI usability for multitaskers by doing so (and it started with that godawful "collapsing multiple taskbar buttons" in Windows XP, which Windows 7's Taskbar is just a logical development of). Probably best not to bring up the Dock at all, it's a UI catastrophe, especially the earlier versions (Apple short-circuited the awfulness of the Dock as a task-switching tool with Expose, though Expose also has problems once you move past a non-trivial number of Windows).

      f) Bonjour which Windows still doesn't have

      Microsoft implemented Zeroconf and UPNP (what Apple calls Bonjour) in Windows XP.

      g) CUPS, which is IMHO less good than the print manager in Windows server but way better then what the desktops have.

      I'm blown away you think having a print manager like CUPS should even be necessary on a standalone desktop. Other than pausing/cancelling jobs, and maybe selecting a different printer, just what else does a normal desktop user need

  2. Le pwn? by gtch · · Score: 2

    How does one pronounce 'pwn' in French?

    1. Re:Le pwn? by sakdoctor · · Score: 2

      pvoir!

  3. Firefox/Linux by sakdoctor · · Score: 4, Interesting

    Firefox and Linux are under represented in pwn2own as usual.
    I'm not complacent, just saying it's nice.

    1. Re:Firefox/Linux by Anonymous Coward · · Score: 3, Informative

      Why Pwn2Own doesn't target Linux

    2. Re:Firefox/Linux by georgesdev · · Score: 2

      sure, who would want to pwn Firefox or Linux, and get to own a free download ;) ...

    3. Re:Firefox/Linux by Anonymous Coward · · Score: 4, Interesting

      Quoting from the link: "Linux is not an operating system that has widespread use with any one particular distribution, flavor or configuration," Portnoy said. "In general Linux is still a server-based operating system, people do use it on the desktop, but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share"

      To me this like a combination of two classic arguments: one that Linux doesn't have enough market share to warrant our attention, two that it given the diversity of Linux, which is one of its security strong points, it might be too difficult to crack it and even if we did, we can't make as big of a media spectacle about it. If I recall correctly, Ubuntu was included in this test a year or two ago and was the only one that was not cracked.

  4. Hilarious by theolein · · Score: 5, Insightful

    I'm a Mac user and fortunately not a mindless one (honest, promise!). That Apple has been extremely lucky in not being overrun in exploited machines has more to do with the normal target area for exploiters being windows due to marketshare, but Macs have a big enough marketshare these days to make it worthwhile for crackers. I'm pretty sure that the time will come when Macs will be running dubious AV products like most Windows people do.

    1. Re:Hilarious by Anonymous Coward · · Score: 2, Funny

      Time to move to Lynx on OpenBSD :-).

    2. Re:Hilarious by boristdog · · Score: 2

      Yep. Last week my mother, who is the Mac "guru" amongst all her associates, called me to ask why and how a virus could have wiped out all the Macs at her job in one day. "That's not possible, is it?" she asked. Um...it happened, didn't it?

      The "Macs are safe from viruses" mantra has been drilled into the users a little too well. The vast majority of Mac users are convinced they are safe and take no precautions.

    3. Re:Hilarious by vague+disclaimer · · Score: 3, Insightful
      Yet oddly, this amazing event didn't make the news.

      I suspect your pants are on fire.

  5. Re:Chrome was updated by Nerdfest · · Score: 3, Informative

    I believe Apple released 50+ patches a few minutes before the contest. No special treatment for Google that I'm aware of.

  6. Never been an issue before by Anonymous Coward · · Score: 5, Funny

    No one knows. Up until now the French have never had reason to use the word. You can't pwn someone and surrender at the same time.

    1. Re:Never been an issue before by (Score.5,+Interestin · · Score: 2

      No one knows. Up until now the French have never had reason to use the word. You can't pwn someone and surrender at the same time.

      Safari meurt, mais il ne se rend pas!

  7. It is slowly ramping up by Sycraft-fu · · Score: 5, Interesting

    We've had a few Macs (Macs that were administered by the person, not by IT) at work owned. In one case it was pure user stupidity, a world writable FTP. They couldn't see what was wrong though because "Macs can't get hacked!" In another case it was a virus that seemed to use the speech synthesizer to read ads. Was really funny.

    It is rare, compared to Windows, but growing. The real problem is, as I mentioned, the "But Macs are safe!" people. They really do think that running a Mac absolves them from any security responsibility. I think there are going to be some nasty awakenings and users will have to accept that no matter what you do, you need to have good security practices. A virus scanner is a good idea as well, since it can help catch things if you slip up (and we all slip up).

    1. Re:It is slowly ramping up by jo_ham · · Score: 4, Insightful

      It's funny how those of that *do* say those things about Macs are conveniently ignored on slashdot, or lumped in as one job lot with people who know nothing about security and claim that OS X is immune. Or even have our intelligence questioned for our choice of computing environment. It's really quite tiresome.

      The specific bug that was exploited in this case is in WebKit, so it's a concern for any browser based on it - Apple or not. The purpose of the contest is PR, but does lead to exploits being exposed and patched (albeit held back by the people going for the prizes so they have something to deploy as soon as the contest begins - it took those guys a lot of work to get it to the stage where they could deploy it quickly - they could have disclosed their method some time ago [but the same is true for all the exploits used in this contest, on all of the platforms]).

      The attack order of the machines really has little ultimate value in the end - the fact that security holes exist in the first place is the take home message. I hope OS X keeps getting attacked - the more exploits are found, the more get closed off. I am careful with my machine, but I welcome disclosure and patching of bugs.

    2. Re:It is slowly ramping up by Sycraft-fu · · Score: 2

      I can't give you a good virus scanner for Mac as I don't know yet. Macs are a new part of my responsibilities at work so I've only done some research. I can say Sophos does have a Mac virus scanner, Sophos is what we license at work. However I can also say fuck Sophos, I hate it and would not recommend it.

      As for catch rate, no it is much better than that. Good virus scanners tend to get 98% or more. There is some balance between higher catch rate and too many false positives, but you can have few false positives with a 98% or better rate. The very best tend to be 99.5-99.9% catch rate.

      http://www.av-comparatives.org/images/stories/test/ondret/avc_od_aug2010.pdf for the latest results. The AV Comparatives site has more overall data for other kinds of tests too.

      Perfect? No but nothing in the world is. If you demand only perfection you end up missing out on everything because nothing meets your impossible standard.

  8. Holding back exploits to score quick victories? by jo_ham · · Score: 4, Interesting

    Given the financial incentives involved here (for example, the guy who gave up an almost certain $15,000 because he reported a bug to Google rather than keep it under wraps until he could clean up at Pwn2Own, how many bugs on all of the major platforms are kept "secret" to be used in contests like this?

    I understand the nature of the event is to demonstrate the issues of security and code vulnerability, but sitting on exploits is surely counterproductive here?

    1. Re:Holding back exploits to score quick victories? by jo_ham · · Score: 4, Insightful

      I'm not talking just about Apple - note that I was talking generally, and even specifically mentioned Google as an example - it's right there in my comment. I am talking about the contest as a whole, including all of the operating systems and browsers involved, but feel free to ignore my point and just have an Apple bash. After all, we are on slashdot.

      Also, talking about this specific bug, it was an exploit in WebKit - so are you now saying that WebKit is an Apple product? After so many years of "Apple just took KHTML and rebranded it and claimed all the credit" posts on slashdot, now suddenly it *is* an Apple product? You can't have it both ways.

      My original point was referring to all browsers and operating systems involved, both with OSS components and closed code.

  9. Sandbox by Mr_Silver · · Score: 3, Insightful

    The most interesting and disappointing thing about Pwn2Own for me was that all the recent development of sand-boxing in browsers suggested that they were going to herald in a new era of browser security.

    In actual fact it turns out that, thanks sloppy implementations, they aren't very good at their job.

    --
    Avantslash - View Slashdot cleanly on your mobile phone.
  10. Re:no surprise there by somersault · · Score: 5, Informative

    They had a VAIO with Ubuntu on it in 2008, which nobody hacked. VAIOs are certainly not "cheapo".

    --
    which is totally what she said
  11. misleading title on /.? never! by risinganger · · Score: 3, Informative

    Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged in which it states that both Safari and IE fell at the first attempt, clearly it was a matter of nothing more than the ordering. Apologies for disturbing all the anti-apple ranting but both systems are weak.
     
    Please feel free to resume posting uninformed comments now.

    1. Re:misleading title on /.? never! by Anonymous Coward · · Score: 2, Insightful

      Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged in which it states that both Safari and IE fell at the first attempt, clearly it was a matter of nothing more than the ordering. Apologies for disturbing all the anti-apple ranting but both systems are weak. Please feel free to resume posting uninformed comments now.

      There is something strange about how this is worded, as the first hacker - taking down Safari/MacOS - won 15k$. It sounds really strange if that price was decided just by the ordering of attempts.

    2. Re:misleading title on /.? never! by drinkypoo · · Score: 2

      Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged in which it states that both Safari and IE fell at the first attempt,

      Nobody cares, because it's not news when IE gets compromised. It's news when Apple says "oh we're so secure" and iFanbois say "oh it's so secure" and it's the first to fall.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:misleading title on /.? never! by bidule · · Score: 3, Informative

      The successful hack came in spite of a large security patch, Safari 5.0.4, that Apple released ahead of the competition, patching some 60 security holes in the browser. As well as Safari, Apple also patched iOS to version 4.3. This is because, in a change to historic competition rules, the system configuration was frozen last week, so the last-minute fix hasn't prevented exploitation.

      How to make the truth a lie.

      --
      ID: the nose did not occur naturally, how would we wear glasses otherwise? (apologies to Voltaire)
  12. I feel a disturbance by Dunbal · · Score: 3, Funny

    I feel a disturbance in the Force, as if a million Apple users suddenly cried out in terror, and were pwn3d.

    --
    Seven puppies were harmed during the making of this post.
  13. Re:Chrome was updated by psergiu · · Score: 2

    The organizers said that the software configuration was frozen a week ago. Nobody was allowed to do last-minute updates (like it was last year)

    --
    1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
  14. Ywn2Own by skingers6894 · · Score: 3, Insightful

    Every year headlines claim platforms "pwned" in seconds but it's misleading and sensationalist.

    The exploits are researched and practiced over days or weeks, rehearsed and simply repeated on the day. Yes it's bad, yes it demonstrates insecurity but the headlines imply that some guy just sits down at a fresh machine, sight unseen, decides to have a go at hacking it and within seconds it's done.

    Of course the exploits take seconds to run - they are running them on computers - they are fast.

    I'm sure they get faster every year.

  15. Re:Chrome was updated by skyfex · · Score: 5, Interesting

    This article seems to indicate so:

    http://www.computerworld.com/s/article/9214002/Safari_IE_hacked_first_at_Pwn2Own

    "But the Safari patches still had a part to play in Vupen winning. If the vulnerability used by Vupen to hack Safari had been fixed in 5.0.4, TippingPoint would not have awarded the $15,000 prize."

  16. Re:Chrome was updated by inpher · · Score: 4, Interesting

    Chrome got to use the built in auto mechanism just before the contest started (source 1, source 2, source 3) which is probably why the contestant registered to try to beat Chrome did choose not to try.

  17. Re:Lets face it : Apple got served. by BitZtream · · Score: 2

    Yep, and the lesson here is, people really want to win the Mac, so it gets the most attacks to start with ... THEN people go after the others.

    Its the same thing ever year and well understood. Its also well ignored by most who would rather assume that its bad security.

    All of them fall pretty quickly once people target them, as has already been pointed out, people are sitting on exploits waiting for pwn2own in order to win the machines they want. The macs are well sought after, hence they go first.

    God forbid, don't let reality obscure your perspective though.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  18. What do the experts say? by veldon · · Score: 2

    Here are Charlie Miller and Dino Dai Zovi's responses to the very question of which is more secure, Windows 7 or Mac OS X. These are Apple security researchers. It is the second question in the interview:

    http://www.h-online.com/security/features/Hackers-versus-Apple-1202598.html

    The summary: Mac is only safer from browser attacks than Windows because there is less malware written for it. That is, security through obscurity. But Mac is less safe from targeted attacks.

    I am always surprised to hear people claim that somehow Mac is magically more secure. It does nothing but reveal their ignorance.

    1. Re:What do the experts say? by ledow · · Score: 2

      Mac is secure is in aggregate. It all depends on how you view it.

      I *KNOW* that if I cross a road, I'm putting my life at more risk than if I stay at home. It doesn't mean that I will never have an accident at home.

      Similarly, if you put all your eggs in the Windows basket, you're more likely, on aggregate, to be a victim of something. It doesn't mean that a locked-down Windows PC is any less secure than a wide-open Mac. It's just a statistical average.

      By that measure, Windows is excruciatingly far behind on using proper security practices to make sure it's HUNDREDS OF MILLIONS of users aren't affected. Whereas Apple can afford to be a little lax because it TENS OF MILLIONS of users don't exhibit those problems in such numbers.

      That said, any PC is at risk if you don't manage it well. However, statistically, if I pick a machine that we *KNOW* to be infected, it's much more likely to be a Windows machine than any other.

      "Mac is more secure" doesn't cover it in enough detail (i.e. what Mac, what model, what software, what user, what configuration, how well managed, what connection, what services, etc.") but it has a statistical truth. Your problem is not people telling lies, it's people failing to clarify their argument.

  19. Re:Lets face it : Apple got served. by Anonymous+Psychopath · · Score: 2

    Yep, and the lesson here is, people really want to win the Mac, so it gets the most attacks to start with ... THEN people go after the others.

    Its the same thing ever year and well understood. Its also well ignored by most who would rather assume that its bad security.

    All of them fall pretty quickly once people target them, as has already been pointed out, people are sitting on exploits waiting for pwn2own in order to win the machines they want. The macs are well sought after, hence they go first.

    God forbid, don't let reality obscure your perspective though.

    This is a silly argument for several reason:

    1) They have to already own a Mac in order to develop the exploit.
    2) They could buy a lot of Macs with $15,000 USD.
    3) Why would you want to really, really win any particular brand of PC when you had just discovered and written something that lets anyone with a web server pwn it?
    4) Even assuming your argument is accurate, that means that all it takes is a little extra effort to crack a Mac, in this case because the browser isn't properly sandboxed. This is because Apple has done a poor job. That isn't a good thing for those of us that use them every day, including me. Discovering vulnerabilities and demonstrating exploits is a Good Thing for users, just a bad thing for fanbois.

    --

    Eagles may soar, but weasels don't get sucked into jet engines.

  20. Re:Oh my my by Wild_dog! · · Score: 2

    The exploit was in WebKit and is not unique to apple. Webkit is used by Chrome as well.