Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Surely

Guest
Oct 27, 2007
15,042
11
Los Angeles, CA
Perhaps it took five seconds to implement, but your thread title makes it seem like it was the first time these hackers saw a MBA and Safari.

I'm sure there were dozens or hundreds of hours worth of research and coding in order for these guys to get to the point of being able to implement their hack.


I remain unconcerned.
 

nefan65

macrumors 65816
Apr 15, 2009
1,354
14
Perhaps it took five seconds to implement, but your thread title makes it seem like it was the first time these hackers saw a MBA and Safari.

I'm sure there were dozens or hundreds of hours worth of research and coding in order for these guys to get to the point of being able to implement their hack.


I remain unconcerned.

That's correct. It was done on site, at the event in 5 seconds. However, it took weeks to find the exploit AND actually write a custom piece of code to execute.

You also have to realize that the event was hosted by MS, Google, and another. So there's some bias there...
 

MacRumors

macrumors bot
Apr 12, 2001
63,195
30,136
Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN




114003-cansecwest_2011.jpg


ZDNet reports that a MacBook running Safari was the first machine to fall victim to a security exploit in the PWN2OWN hacker challenge at the CanSecWest conference in Vancouver, Canada. French security researchers compromised the MacBook and launched code within five seconds of contacting the machine, winning a $15,000 cash prize and a new 13-inch MacBook Air for their efforts.
VUPEN co-founder Chaouki Bekrar lured a target MacBook to a specially rigged website and successfully launched a calculator on the compromised machine.

The hijacked machine was running a fully patched version of Mac OS X (64-bit).

In an interview with ZDNet, Bekrar said the vulnerability exists in WebKit, the open-source browser rendering engine. A three-man team of researchers spent about two weeks to find the vulnerability (using fuzzers) and writing a reliable exploit.
While Bekrar noted some difficulties in preparing the exploit due to a lack of documentation on how to exploit 64-bit Mac OS X code, his team was ultimately able to bypass several anti-exploit tactics included in Mac OS X to demonstrate how a machine could become comprised simply by visiting a malicious webpage and without crashing the browser.

Macs have become popular targets for researchers seeking to find security holes, with CanSecWest being a major forum for discussion and demonstration of their work. In 2007, the conference sponsored a "Hack a Mac" contest with a $10,000 cash prize, although organizers did have to loosen the contest rules before researchers succeeded in compromising a MacBook.

The following year, a MacBook Air was the first to be compromised at PWN2OWN, falling victim to a exploit initiated through Safari. Apple released a Safari update just a few weeks later to address that issue. And in 2010, noted researcher Charlie Miller used the conference to expose 20 zero-day holes in Mac OS X, claiming that Mac users' infrequent run-ins with hackers have primarily been due to "security by obscurity", with most malicious hackers preferring to attack Windows platforms with substantially larger user bases.

Notably, Apple is said to have reached out to security researchers for the first time with the initial developer build of Mac OS X Lion, inviting them to test out the forthcoming operating system in hopes of finding and patching as many holes as possible before Lion reaches customers' hands later this year.

Article Link: Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN
 

Surely

Guest
Oct 27, 2007
15,042
11
Los Angeles, CA
Perhaps it took five seconds to implement, but it's not like it was the first time these hackers saw a MBA and Safari.

I'm sure there were dozens or hundreds of hours worth of research and coding in order for these guys to get to the point of being able to implement their hack.


I remain unconcerned.
 

RRmalvado

macrumors 6502
May 27, 2010
352
25
Perhaps it took five seconds to implement, but it's not like it was the first time these hackers saw a MBA and Safari.

I'm sure there were dozens or hundreds of hours worth of research and coding in order for these guys to get to the point of being able to implement their hack.


I remain unconcerned.

Although I remain unconcerned as well, you completely miss the point of PWN2OWN.
 

dwd3885

macrumors 68020
Dec 10, 2004
2,131
148
i hope this thread doesn't turn into a 'good for apple that they know the exploit now and can patch'. Because when this stuff happens to Google and Microsoft, most people here laugh it up and gloat how Apple is awesome.
 

Stevesbodyguard

macrumors newbie
Feb 17, 2011
27
0
It says it took a three man team two weeks to work on this. The actual implementaion worked in 5 seconds.....AFTER they lured the MacBook there.

So the moral of the story is, don't be an idiot!
 

Penfold2711

macrumors member
Jan 17, 2011
74
17
I think Steve has realised that since the move to Intel the Mac has become a target since due to the past Mac doesn't get viruses Windows does moniker, Lion will be focused now on limiting the use of such backdoors.

Im not to bothered in the security hole with Lion as if i don't trust the site i won't get lured there thats the only reason for viruses backdoors etc working

Human error not machine or OS failure is the key
 
Last edited:

jav6454

macrumors Core
Nov 14, 2007
22,303
6,256
1 Geostationary Tower Plaza
Although I remain unconcerned as well, you completely miss the point of PWN2OWN.

Yes the point is Macs can easily be hacked. However you misses his point. The exploit itself took five seconds, but all the preparations and knowledge behind it took more than five seconds. At minimum it took them 1-2 days of nonstop work.

Also, it took a malicious website to crack in. In other words, be a safe user and don't visit dodgy websites. This is true across ALL platforms. Impending Linux distros.
 

NAG

macrumors 68030
Aug 6, 2003
2,821
0
/usr/local/apps/nag
i hope this thread doesn't turn into a 'good for apple that they know the exploit now and can patch'. Because when this stuff happens to Google and Microsoft, most people here laugh it up and gloat how Apple is awesome.

Huh? Safari loses almost all the time. Call it a political message or whatever, Apple has never been the best at these security contests. Feel free to keep burning that strawman, though. You don't need to pay attention to reality to have fun while feeling superior due to the choice of which tool you prefer to use.
 

SimonTheSoundMa

macrumors 65816
Aug 6, 2006
1,033
213
Birmingham, UK
Remember, this is a white hat hacking event. Everything is kept confidential and bugs given to the developers.

Most people want to hack Macs first at this event, because you win the computer you did the hack on. Dell and HP machines are less popular to hack first.
 

shartypants

macrumors 6502a
Jul 27, 2010
922
60
This is great news, finding security problems before malicious things are done is good to hear. The more holes patched before the Mac becomes too popular the better.
 

dwd3885

macrumors 68020
Dec 10, 2004
2,131
148
Huh? Safari loses almost all the time. Call it a political message or whatever, Apple has never been the best at these security contests. Feel free to keep burning that strawman, though. You don't need to pay attention to reality to have fun while feeling superior due to the choice of which tool you prefer to use.

huh? smh
 

longofest

Editor emeritus
Jul 10, 2003
2,924
1,682
Falls Church, VA
Apple's recent "reaching out" by offering Lion to security researchers may not be enough.

The rest of the industry pays researchers when they find vulnerabilities and they privately disclose them to the company without making them public before they can be patched. Apple does not. For that reason, Charlie Miller no longer reports bugs to Apple (http://tinyurl.com/5tfee7w).
 

k2spitfire88

macrumors 6502
Feb 15, 2008
422
0
in your mind
Remember, this is a white hat hacking event. Everything is kept confidential and bugs given to the developers.

Most people want to hack Macs first at this event, because you win the computer you did the hack on. Dell and HP machines are less popular to hack first.

Exactly. While it's good to know that people checking these kind of things, and sending the bugs to the developers, you can't put much stock in the actual contest, simply because they get to win the machine they hack. Who wouldn't pick the Mac first?
 

emvath

macrumors regular
Jan 5, 2009
223
187
For some reason while I read this I imagined Steve reading the same thing and tugging at the neck of his black turtleneck and sweating profusely. ;)
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.