Slashdot Mirror
Safari/MacBook First To Fall At Pwn2Own 2011
recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."
Firefox and Linux are under represented in pwn2own as usual.
I'm not complacent, just saying it's nice.
I'm a Mac user and fortunately not a mindless one (honest, promise!). That Apple has been extremely lucky in not being overrun in exploited machines has more to do with the normal target area for exploiters being windows due to marketshare, but Macs have a big enough marketshare these days to make it worthwhile for crackers. I'm pretty sure that the time will come when Macs will be running dubious AV products like most Windows people do.
I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.
The most embarrassing thing for Apple is that OS X has included a mechanism for applying fine-grained sandboxes to applications since 10.5 which Safari doesn't use. It would only be a couple of weeks worth of work for an engineer to create a sandbox policy, test it, and ship it with Safari. For some reason, Apple has decided not to invest this effort.
I am TheRaven on Soylent News
No one knows. Up until now the French have never had reason to use the word. You can't pwn someone and surrender at the same time.
We've had a few Macs (Macs that were administered by the person, not by IT) at work owned. In one case it was pure user stupidity, a world writable FTP. They couldn't see what was wrong though because "Macs can't get hacked!" In another case it was a virus that seemed to use the speech synthesizer to read ads. Was really funny.
It is rare, compared to Windows, but growing. The real problem is, as I mentioned, the "But Macs are safe!" people. They really do think that running a Mac absolves them from any security responsibility. I think there are going to be some nasty awakenings and users will have to accept that no matter what you do, you need to have good security practices. A virus scanner is a good idea as well, since it can help catch things if you slip up (and we all slip up).
It may well be that other computers fall thereafter and I expect in those cases they fall from people who similarly have knowledge of those respective systems.
So basically it sounds like you're making excuses.
Given the financial incentives involved here (for example, the guy who gave up an almost certain $15,000 because he reported a bug to Google rather than keep it under wraps until he could clean up at Pwn2Own, how many bugs on all of the major platforms are kept "secret" to be used in contests like this?
I understand the nature of the event is to demonstrate the issues of security and code vulnerability, but sitting on exploits is surely counterproductive here?
Exactly. It might have been far more interesting if we'd had a summary that at least made an effort to tell the whole story, rather than just the one-sided flamebait we got...
Caveat Utilitor
Lies. Several times now they've had to allow more access to the machine before Windows was hacked. One year, before they stopped including Linux, it made it through the entire competition without being hacked despite everyone's best effort.
At some point, you're going to have to accept that OS X just isn't that secure. It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux. It's 2011, being Unix doesn't magically make you secure.
Actually the reason Safari went down first was because it was the first target. Followed by IE8 which also went down. The researcher who was going to go after Chrome never showed up and Firefox is next in line...
Greylisting is to SMTP as NAT is to IPv4
The researcher who was going to go after Chrome never showed up...
So... google has the best assassins?
They had a VAIO with Ubuntu on it in 2008, which nobody hacked. VAIOs are certainly not "cheapo".
which is totally what she said
>>>Apple is it lately.
I don't have a problem with Apple.
I have a problem with the *owners* who act as if owning an "unhackable" Apple was like being married to the most beautiful wife on the planet. ("Why would anybody choose a different partner/ manufacturer???") Apple's personal computers are still..... just PCs. Just like Acuras/Lexuses are just Hondas/Toyotas.
FREE magazine : http://clarkesworldmagazine.com/prior/
It's called "Pwn2Own": the hackers win the machines they hack.
Everyone wants Macs. They hack them first. The other computers come down minutes later.
First one wins 15k$ cash. You are saying they risk this by not going after the easiest target first because they so desperately want a Mac?
he used google maps to find the place.....and oh, he found it....
Ideological differences. Slashdotters like such princibles as open source, patent-free technologies, and the right to do as you wish with hardware you buy even without the manufacturer's approval. They hate DRM and any anti-tamper measures. This means they will be in conflict with Apple, in the same way they are in conflict with Microsoft. Both companies behave in ways (Like requiring code-signing to run any software on an iPod/phone/pad) which are in very strong opposition to the openness and right to tinker that most geeks love.
But you have to understand the psychological aspect. I mean if you had paid twice as much for a brand and a look, found out that for your money you weren't getting much else, and watched the software you thought unhackable fail so miserably when you thought you were paying for security, you would be in denial too and rush to their defense. It's not Apple he is defending, it's his own feeling of foolishness that he's trying to cover up.
Seven puppies were harmed during the making of this post.
Slashdotters like such princibles as open source, patent-free technologies, and the right to do as you wish with hardware you buy even without the manufacturer's approval. They hate DRM and any anti-tamper measures.
That should read "Some Slashdotters..." there certainly isn't universal agreement on those. Particularly those who make a living by developing and selling software very often won't agree with that entire list.
Actually the reason Safari went down first was because it was the first target.
But they don't all hack the same computer at the same time. Everybody is allocated a 30 minute timeslot with the different computers and they all get attacked at the same time. At least, that is how it was described in previous years.
When Chaouki Bekrar was bringing down Safari, Stephen Fewer would have been launching his attack on IE8. IE took longer because as Fewer said "I had to chain multiple vulnerabilities to get it to work reliably." Bekrar only spoke of a single vulnerability in his comments. So the Mac was just easier to hack. Certainly all the excuses about hackers wanting the prize of a Macbook more than the others is just unfounded speculation.
Eh, let's see if your "logic" holds up. The winner wins $15,000 AND the machine they hack. So, what would a rational person do, hack the easiest in an attempt to win $15,000 AND a $2,000 laptop, or hack the hardest in an effort to (most likely) ONLY win the $2,000 laptop.
I am certain that a Mac fanboi would go straight for the "un-hackable" Apple iron, any rational person would go straight for the box he figured he could hack the fastest though. I think these guys are relatively rational.
Yes, exactly like buying Windows Vista Extreme Ultimate Hyper Edition every so often.
If you have an Intel Mac (which you need for 10.6 and 10.7), then you have owned since *at most* January 2006. In that time you could have had 10.4 (released April 05), 10.5 (released October 07), 10.6 (released August 2009).
The first one came with the Mac, so if you started on 10.4 you needed to buy 10.5 and 10.6 - so that's $129 for 10.5 and $29 for 10.6. $158 over 4 years is not too bad I think.
If your Intel Mac came with 10.5 you've only had the option to upgrade once - for $29.
But yes, I'm sure it's a grand conspiracy to force you to spend "another" $100 (when the price of Lion has yet to be confirmed).
So it appears you may be the one whose smugness is unwarranted. :D
Caveat Utilitor
The whole "which fell first" thing makes a huge assumption that simply isn't true. The assumption that all hardware/software combinations are available at the same time to all participants.
For example, whilst Safari and IE fell on day one, Firefox isn't scheduled to be available to anyone to try to hack till day two. Thus you can't say Safari is somehow less than Firefox.
Likewise you can't say that Safari is less than IE. It may well be that the person with a working exploit for Safari got a time slot to try it before the person with a working exploit for IE. After all, it's not as if they are actually finding the exploits at the competition. They're exploits they've spent weeks preparing.
This article seems to indicate so:
http://www.computerworld.com/s/article/9214002/Safari_IE_hacked_first_at_Pwn2Own
"But the Safari patches still had a part to play in Vupen winning. If the vulnerability used by Vupen to hack Safari had been fixed in 5.0.4, TippingPoint would not have awarded the $15,000 prize."
Of course Apple has done more to eliminate DRM from Music than everyone on Slashdot combined.
Weird..
Chrome got to use the built in auto mechanism just before the contest started (source 1, source 2, source 3) which is probably why the contestant registered to try to beat Chrome did choose not to try.
I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize.
Yeah, seeing as I already have one dollar, I certainly wouldn't want another dollar.
With the first link, the chain is forged.