Man oh man this is bad news for Apple. Come on is the only reason this OS doesn't get much exploits and viruses is because so little people use it! Say it aint so
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN
- Thread starter camelsnot
- Start date
- Sort by reaction score
What I love is everyone saying this gig is rigged etc. Honestly to me it doesn't matter. All that matters is the results. The results are Apple doesn't really care about security as much as they should.
In the ten year history of Mac OS X, there has only been a little bit more than double the amount of privilege escalation exploits that Windows 7 has had in just this year alone.
Does that answer your question?
I'd still disagree. It's not like everyone there gets to pick which browser they want to attempt. One was a no-show. You do realize that gives anyone who would take his place 0 prep time, right? Even if you're working on another browser, are you going to try to make a hack for another one, "just in case" someone doesn't show?
Sure, the second group somewhat supports the point that Chrome is more difficult, but that was known going into it. They wanted to work on something they felt would be easier.
Don't get me wrong, Chrome is still the most secure out there, but I don't think this year's contest was a win for them at all. A default win isn't much of a win(assuming you've ever competed in anything).
I imagine Google wanted someone to try. Why else offer an increased prize?
Both Safari and IE8 were exploited with equal ease. So, by your logic, Microsoft "doesn't really care about security as much as they should" as well.
Suggest you read the rules.
They had to start a remote app which proves they can remotely open a file and they had to be able to upload a file to the computer.
That is a bad bad combination. Opening the calculator App was mostly just used as a proof of concept.
Tell right now if you can upload a file then you can upload a file and then run it. That means you can upload a trogan and then run said trogan. That is a huge amount of power.
You're basing that on what? The fact Safari was hacked? The 62 bug fix they issued recently? The built in security features OS X offers?
They don't issue 52 security bulletins a year? Well, okay that's true, but it's mainly because they didn't have to.
There's no reason Apple should give OS X the same security attention MS gives Windows at the moment. There haven't been as many exploits. They give it attention, which is evidenced enough by what they offer you for protection, which is improving with each iteration of the OS.
From a security standpoint, you'd love them to devote 95% of development time to it, but that's not really logical when your OS is designed like theirs is.
How the F is someone to know if a site is dodgy, especially if it is connected as an ad link, say off of a google search, and it has a respectable name, etc."visit flower.con or some such ;-).
If simply VISITING the site, not necessarily clicking on anything once there, unleashes a virus, that is very bad.
Eddie O
Just because you live in Beverly Hills doesn't mean you can your doors unlocked.
Enlighten me on how this occurs then? Anything remotely targeting the OS requires some Admin level rights. I'm not trying to attack you at all, but I'm genuinely interested how you think it'd occur.
For reading purposes, can you link me the rules requiring an install? Nothing I read mentioned installing any software. Just because you can upload a file doesn't mean you have that file run every process on the machine without some sort of access.
A sensational headline does nothing to change that the exploit only takes a few seconds to execute. This should concern you more than an exploit that takes five days to execute.
A headline that reads "Five weeks to hack Safari on OS X" would be equally misleading because the time it takes to develop a working tool is irrelevant to how long it takes the tool to accomplish it's objective.
And no, your analogy of printing a paper is not a good one. The paper doesn't do any work.
What about the Single Unix specification makes a OS inherently more secure ? Please, do tell us.
While it sounds nice up front, not exactly the same comparison.
"Just because you live in Beverly Hills with a security system installed, doesn't mean you wouldn't benefit from security patrols" might fit better.
Your original comparison would imply Apple doesn't even do the basics when it comes to security.
That hypothetical trojan you describe could not run with elevated privileges given the pwn2own exploits did not include gaining privileges to the system level.
So, the exploit could not install a keylogger that hooked into Safari, Mail, or any other app owned by system.
A perfect example of the access gained at pwn2own is Boonana which was ineffective and largely crippled because it required authentication to install it's rootkit payload given that it did not achieve privilege escalation via exploitation.
Every example of OS X malware follows the same pattern as Boonana which is why OS X malware is not very successful.
BTW, Microsoft only has 12 (not 52) security bulletins a year give or take a few due to out-of-band releases for remote roots being exploited in the wild.
I was exaggerating.
I know it's a monthly bulletin, I deal with them...well monthly? BTW thanks for saying what I wanted to, only with more detail.
Does not require an install. Just uploading a file.
They opening the app proves they can open anything on the computer. The file uploaded can be some type of maluse code. For example that file could be a payload that lets say the calculator app needs to work. Well they go in and change that file load file and then open up the calculator while opens ups said code that does the rest of the work. There are ways around that.
Uploading a file and opening an App means they can do some real damage with those 2. It means they have by pass almost all of OSX protection and from there not hard to finish getting around the weak level protection left.
OSX requiring "root" access by the password really is nothing more than making the user say OK to something.
Imagen for a 2nd that the payload file is slip into something they know the user will grant root level access to trying to run it. Get that on enough computers plenty of people are dumb enough to do it.
I'm sure Apple has a Maltese for a guard dog and a fence around the property.
I second that! I'm tired of folks saying "You should be a smarter user!" Listen, any browser/OS combination that allows your machine to become owned simply by you VIEWING a site is BROKEN. That's Apple/Microsoft/Mozilla's fault plain and simple.
It is the user's responsibility not to download and install software that may be of ill repute. It is NOT reasonable for me, on a 300-page research clickfest, to have to go research the target of every URL I might click, examine the Javascript first to make sure the click doesn't target a *different* URL, and THEN click it. And many of us surf on phones that don't allow a hover-over of URLs.
I did.
Payload it into a common file in the system that lets say Office needs to run and just have it autorun it on start up.
Now it will request a password to run and the catch is people are idiots and do that to enough computers and some people will grant the root access it needs to install.
Beauty of Trojans is they go threw the largest security hole that can not be patch. AKA the USER. So they are making a more active Trojan that just ask for it a little sooner when it tries. Do that to 100 people and you should get at least 1 person dumb enough to give it to them.
That's why it's called a Trojan. If it just used a remote code execution bug + privilege escalation bug (essentially, a remote root exploit) without user interaction, then it would be called a worm (self-spreading exploit/malware).
Exactly my point. Only 1 uneducated user is exploited. If you use an OS that commonly has privilege escalation exploits, such as Windows (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k), than the computing knowledge of the user is negated by the exploit not requiring authentication; even knowledgeable users get exploited to the degree that the whole system is exposed.
And a basic deadbolt lock, with a standard security system. They don't employ Barney Fife, set up auto-defense turrets, barbed wire, and a claymore mine field.
Phantom, you're free to disagree all you like, but are you sure you understand the nature of the contest, the rules and how it's organize? Reading your comments, you seem to have several fundamental misunderstandings of how the contest.
'Sign ups' are done far in advance of the contest. No one shows up without having spent a significant amount of time in developing an exploit.
Of the two parties that showed any interest in even attempting a Chrome exploit, one later declined and the other was a no show. Any of the other contestants could have signed on to make a Chrome attempt months ago. The other browsers showed a much higher degree of interest with multiple parties vying for limited spots, to the point where the winner against Safari for the past three years, Charlie Miller loudly complained about the crowded field.