Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
WOW!!!

Safari on snow leopard!

IE8 on windows 7!

Firefox on windows 7!

All PWNed on day one and all within minutes. I guess there is nothing left to debate about.
 
WOW!!!

Safari on snow leopard!

IE8 on windows 7!

Firefox on windows 7!

All PWNed on day one and all within minutes. I guess there is nothing left to debate about.

Very true, but this is what matters most:

TippingPoint does not release details of the vulnerabilities exploited for Pwn2Own, but instead purchases the rights to the flaws and exploit code as part of the contest. It then turns over information to the appropriate vendors, who all had representatives on hand.

Only after the vendor has plugged the hole does TippingPoint disclose details of each flaw.

If history is any indication, vendors will push out patches for the exploited vulnerabilities fairly quickly. In 2008, for example, Apple took just three weeks to patch the Safari bug that Miller used to win $10,000 at his inaugural Pwn2Own.

http://www.computerworld.com/s/arti...ri_IE8_Firefox_all_fall_on_day_one_of_Pwn2Own

Companies are taking this seriously, and this is a good thing. It also makes me feel really good about using Chrome. :D
 
WOW!!!

Safari on snow leopard!

IE8 on windows 7!

Firefox on windows 7!

All PWNed on day one and all within minutes. I guess there is nothing left to debate about.
These are pwned in minutes because these guys have spent weeks or longer writing their exploits into their own websites. Yes, the "cracked in mere minutes!" is a great headline, but it doesn't really represent the truth.
 
These are pwned in minutes because these guys have spent weeks or longer writing their exploits into their own websites. Yes, the "cracked in mere minutes!" is a great headline, but it doesn't really represent the truth.

Yup. I follow Charlie Miller on Twitter, and he already had all the information long before this. Cracked in mere minutes is just because that's how long it took to execute the vulnerability.

It's like saying it takes only 30 seconds to get a home built PC up and running; that 30 seconds to start it up.

However it takes hours to build, but that doesn't sound as impressive.
 
I'm assuming you're not a programmer. I can see why this approach doesn't make sense to a non-programmer, but it is valid. (I think his 30 vulnerabilities are proof that it does something.)
SNIP
So many words, so little content. I am a programmer, experienced enough to demand proof, not conjecture, before accepting a claim of a 'zero-day exploit'. I originally said "I want some proof he can learn something useful from his 'technique', he hasn't got any such proof."

Miller has seemingly claimed he can crash Preview as 20 of the 'exploits' were against Preview. Hell, I can crash Preview by using Force Quit. If Miller can show how his so-called 'exploits' can compromise the system rather than merely providing a denial of service against Preview then I will stop giggling. For now, Miller is merely a insubstantial self publicist who will not share his detailed findings with anyone, perhaps because there aren't any.
 
If Miller can show how his so-called 'exploits' can compromise the system rather than merely providing a denial of service against Preview then I will stop giggling.

You're obviously not following this thread too well. (Clicking on links and reading external material is required. There should be no need for constant spoon-feeding here. See my last post for example). The exploits are merely demonstrated [i.e., proved.] No "how-to" or nitty-gritty details will be publicized until vendors have patched the associated holes. But you should already know that from what's previously been said and/or referenced.

We aren't even told (by the event reporters) if Stealth Mode was active on Snow Leopard's firewall, and/or whether or not that would have mattered anyway. Nor are we specifically informed of any root access (at least not with that exact word... perhaps "pwn" implies root in all contexts, idunno).

More linkage: "Pwn2Own winner tells Apple, Microsoft to find their own bugs"
 
2010-March-29

Apple Mac OS X - 10.6.3
Snow Leopard operating system.

Apple Security Update - 2010-002

For Leopard Mac OS X 10.5.

Both OS versions share the same security page: http://support.apple.com/kb/HT4077 :eek:

HELLO...
11 instances of the string working with TippingPoint's Zero Day Initiative appear in that kbdoc!!!!!!!11
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.