Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN

Discussion in 'MacRumors.com News Discussion' started by camelsnot, Mar 10, 2011.

  1. camelsnot macrumors 6502

    camelsnot

    Joined:
    Jan 31, 2011
    #1
  2. Surely Guest

    Surely

    Joined:
    Oct 27, 2007
    Location:
    Los Angeles, CA
    #2
    Perhaps it took five seconds to implement, but your thread title makes it seem like it was the first time these hackers saw a MBA and Safari.

    I'm sure there were dozens or hundreds of hours worth of research and coding in order for these guys to get to the point of being able to implement their hack.


    I remain unconcerned.
     
  3. nefan65 macrumors 65816

    nefan65

    Joined:
    Apr 15, 2009
    #3
    That's correct. It was done on site, at the event in 5 seconds. However, it took weeks to find the exploit AND actually write a custom piece of code to execute.

    You also have to realize that the event was hosted by MS, Google, and another. So there's some bias there...
     
  4. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #4
    Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN

    [​IMG]


    [​IMG]

    ZDNet reports that a MacBook running Safari was the first machine to fall victim to a security exploit in the PWN2OWN hacker challenge at the CanSecWest conference in Vancouver, Canada. French security researchers compromised the MacBook and launched code within five seconds of contacting the machine, winning a $15,000 cash prize and a new 13-inch MacBook Air for their efforts.
    While Bekrar noted some difficulties in preparing the exploit due to a lack of documentation on how to exploit 64-bit Mac OS X code, his team was ultimately able to bypass several anti-exploit tactics included in Mac OS X to demonstrate how a machine could become comprised simply by visiting a malicious webpage and without crashing the browser.

    Macs have become popular targets for researchers seeking to find security holes, with CanSecWest being a major forum for discussion and demonstration of their work. In 2007, the conference sponsored a "Hack a Mac" contest with a $10,000 cash prize, although organizers did have to loosen the contest rules before researchers succeeded in compromising a MacBook.

    The following year, a MacBook Air was the first to be compromised at PWN2OWN, falling victim to a exploit initiated through Safari. Apple released a Safari update just a few weeks later to address that issue. And in 2010, noted researcher Charlie Miller used the conference to expose 20 zero-day holes in Mac OS X, claiming that Mac users' infrequent run-ins with hackers have primarily been due to "security by obscurity", with most malicious hackers preferring to attack Windows platforms with substantially larger user bases.

    Notably, Apple is said to have reached out to security researchers for the first time with the initial developer build of Mac OS X Lion, inviting them to test out the forthcoming operating system in hopes of finding and patching as many holes as possible before Lion reaches customers' hands later this year.

    Article Link: Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN
     
  5. Surely Guest

    Surely

    Joined:
    Oct 27, 2007
    Location:
    Los Angeles, CA
    #5
    Perhaps it took five seconds to implement, but it's not like it was the first time these hackers saw a MBA and Safari.

    I'm sure there were dozens or hundreds of hours worth of research and coding in order for these guys to get to the point of being able to implement their hack.


    I remain unconcerned.
     
  6. JS77 macrumors regular

    Joined:
    Jun 18, 2008
    #6
    It took me longer than 5 seconds to post this reply :eek:
     
  7. RRmalvado macrumors 6502

    Joined:
    May 27, 2010
    #7
    Although I remain unconcerned as well, you completely miss the point of PWN2OWN.
     
  8. dwd3885 macrumors 68020

    Joined:
    Dec 10, 2004
    #8
    i hope this thread doesn't turn into a 'good for apple that they know the exploit now and can patch'. Because when this stuff happens to Google and Microsoft, most people here laugh it up and gloat how Apple is awesome.
     
  9. Stevesbodyguard macrumors newbie

    Joined:
    Feb 17, 2011
    #10
    It says it took a three man team two weeks to work on this. The actual implementaion worked in 5 seconds.....AFTER they lured the MacBook there.

    So the moral of the story is, don't be an idiot!
     
  10. Popeye206 macrumors 68040

    Popeye206

    Joined:
    Sep 6, 2007
    Location:
    NE PA USA
    #11
    We go through this every year. :rolleyes:

    Here comes all the trolls to chime in!
     
  11. Penfold2711, Mar 10, 2011
    Last edited: Mar 10, 2011

    Penfold2711 macrumors member

    Joined:
    Jan 17, 2011
    #12
    I think Steve has realised that since the move to Intel the Mac has become a target since due to the past Mac doesn't get viruses Windows does moniker, Lion will be focused now on limiting the use of such backdoors.

    Im not to bothered in the security hole with Lion as if i don't trust the site i won't get lured there thats the only reason for viruses backdoors etc working

    Human error not machine or OS failure is the key
     
  12. Surely Guest

    Surely

    Joined:
    Oct 27, 2007
    Location:
    Los Angeles, CA
    #13
    No I didn't.
     
  13. AdeFowler macrumors 68020

    AdeFowler

    Joined:
    Aug 27, 2004
    Location:
    England
  14. jav6454 macrumors P6

    jav6454

    Joined:
    Nov 14, 2007
    Location:
    1 Geostationary Tower Plaza
    #15
    Yes the point is Macs can easily be hacked. However you misses his point. The exploit itself took five seconds, but all the preparations and knowledge behind it took more than five seconds. At minimum it took them 1-2 days of nonstop work.

    Also, it took a malicious website to crack in. In other words, be a safe user and don't visit dodgy websites. This is true across ALL platforms. Impending Linux distros.
     
  15. NAG macrumors 68030

    NAG

    Joined:
    Aug 6, 2003
    Location:
    /usr/local/apps/nag
    #16
    Huh? Safari loses almost all the time. Call it a political message or whatever, Apple has never been the best at these security contests. Feel free to keep burning that strawman, though. You don't need to pay attention to reality to have fun while feeling superior due to the choice of which tool you prefer to use.
     
  16. SimonTheSoundMa macrumors 6502a

    Joined:
    Aug 6, 2006
    Location:
    Birmingham, UK
    #17
    Remember, this is a white hat hacking event. Everything is kept confidential and bugs given to the developers.

    Most people want to hack Macs first at this event, because you win the computer you did the hack on. Dell and HP machines are less popular to hack first.
     
  17. shartypants macrumors 6502a

    shartypants

    Joined:
    Jul 27, 2010
    #18
    This is great news, finding security problems before malicious things are done is good to hear. The more holes patched before the Mac becomes too popular the better.
     
  18. dwd3885 macrumors 68020

    Joined:
    Dec 10, 2004
    #19
    huh? smh
     
  19. longofest Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #20
    Apple's recent "reaching out" by offering Lion to security researchers may not be enough.

    The rest of the industry pays researchers when they find vulnerabilities and they privately disclose them to the company without making them public before they can be patched. Apple does not. For that reason, Charlie Miller no longer reports bugs to Apple (http://tinyurl.com/5tfee7w).
     
  20. dejo Moderator

    dejo

    Staff Member

    Joined:
    Sep 2, 2004
    Location:
    The Centennial State
    #21
    Perhaps. But was it running a fully patched version of Safari? (I.E. Does Safari 5.0.4 fix the hole they exploited?)
     
  21. iamrawr macrumors 6502

    iamrawr

    Joined:
    Apr 16, 2010
    Location:
    New Jersey
  22. k2spitfire88 macrumors 6502

    Joined:
    Feb 15, 2008
    Location:
    in your mind
    #23
    Exactly. While it's good to know that people checking these kind of things, and sending the bugs to the developers, you can't put much stock in the actual contest, simply because they get to win the machine they hack. Who wouldn't pick the Mac first?
     
  23. jon08 macrumors 68000

    Joined:
    Nov 14, 2008
  24. emvath macrumors regular

    Joined:
    Jan 5, 2009
    #25
    For some reason while I read this I imagined Steve reading the same thing and tugging at the neck of his black turtleneck and sweating profusely. ;)
     

Share This Page