What I fail to grasp is how this method he's describing is any different from me downloading a trojan on my own. They can do the same thing. However like you said, it requires the user to do it.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN
- Thread starter camelsnot
- Start date
- Sort by reaction score
What I fail to grasp is how this method he's describing is any different from me downloading a trojan on my own. They can do the same thing. However like you said, it requires the user to do it.
That's what I'm saying. If you have a choice between browser A, which may prove difficult, with a higher prize, or browser B, with a lower prize that will be easier, which would you choose?
My comment was simply that there wasn't much interest in it, even with the added prize. Can you call that a win for Chrome? Maybe.
I guess maybe I should have clarified it a bit better. What I gathered from what was being asked earlier was why someone didn't "pick up opportunity" AFTER the others had backed out. That's what my posts were directed at, not why they didn't choose the browser from the beginning.
Actually, it is. No OS can prevent you from being an idiot. Okay, without the user being severely compromised. "We're sorry, that website has not been added to our safe list, you can not visit it."
You have to do your own due diligence. OS protection can only take you so far.
A trojan injected into the browser then written to the disk with user privileges will produce an authentication prompt to install with higher privileges. That prompt is not tied to a user's action that usually asks for authentication via a prompt. How many times have you been ask to authenticate visiting a website or opening a document in an office suite? By trying to be stealthy, they become obvious as something malicious.
A trojan you explicitly download requires two steps to trick you. For example, Boonana using a facebook video. You click on the video to watch it. You authenticate the install of a video codec that includes a trojan to watch the video. To less knowledgeable users, this seems like a more normal thing to do; i.e. needing a codec to watch a video file, so more likely to be successful and easier to make because relies on absolutely no exploitation of running processes.
Last edited:
You're missing my point. I'm not expecting the OS or browser to wipe my bottom and tuck me in at night. I'm expecting it not to GET COMPROMISED by me simply VIEWING a web page. That's all. I'm not asking too much.
NO modern OS/browser combination should be able to be taken over in this manner.
sadly I have had to fix people computer who have had that done to them. After I remove what damage was done I normally proceed to install the K-Lite codex pack and tell them if it does not play and requires you to download something say no it is a virus.
I choose K-lite because it is one of the better ones out there and has pretty much all the codex used out there.
I agree, but it still doesn't concern me.
Agreed. However, I wasn't implying that the headline should state that.
I disagree. It depends what the paper's topic is. If it causes progress to occur in a field, then it does plenty of work.
Yet every OS can be exploited to gain user level access via it's client side software (web browser, office suite, IM client, etc.)
This will always be true. Every security mitigation will just make doing so more difficult.
When difficulty surpasses profitability, malware will shift to relying on social engineering even more that it already does now.
If you want to increase the security of sensitive user files in Mac OS X while you are logged in, check out the last item in my Mac Security Suggestions. The link is in my sig.
To be effective, make sure the disk image is unmounted when you browse the web.
Last edited:
The opportunity was the same for everyone.
It's a win for Chrome because Pwn2own is by it's very nature the distilled essence of developing an exploit - is the payoff worth the amount of time and resources expended?
The answer for every other browser is yes.
The answer for Chrome is no.
Huh, that is simply not possible, a lot of sites also incorporate content from third parties, such as banner ads.
There is no way to protect yourself by 'only going to respectable sites':
http://dns.tmcnet.com/topics/intern...installed-victim-computers-through-banner.htm
don't know never used CCCP or heard of it until now.
I know K-Lite is pretty good. I know CCCP at first glance kind of scares me but I am going to look more into it and see what I think. CCCP is clearly geared more at the computer geek side of things.
Agreed, the website doesn't have the greatest marketing value. LOL. Never tested positive using various AV scanners. Been around a long time.
"Miller and some other researchers have, however, scaled back their reporting of security flaws to Apple in the face of its refusal to match other companies' offerings of cash rewards for finding such holes."
Seriously?!
That's not "security research", that's plain old fashion extortion straight up. Apple shouldn't pay off these jerks. It's time to file a class action lawsuit against these "security researchers" on behalf of all users.
Seriously?!
That's not "security research", that's plain old fashion extortion straight up. Apple shouldn't pay off these jerks. It's time to file a class action lawsuit against these "security researchers" on behalf of all users.
It doesn't concern me enough for me to change my practices, either, but I'm aware enough to see the bellwether for what it is and not discount it simply because it runs counter to my worldview.
Agreed. However, I wasn't implying that the headline should state that.
Yeah, you did.
Ah, I see now that we're moving goalposts, conflating definitions and playing meta games with our analogies.
Here's what you said:
I'm published in a couple fields. The ideas, research and the critical reading of the audience does the work. The paper it's printed on mean nothing to me. The amount of relevance the time of printing is a mite on a tick's ass as far as I'm concerned.
How much time a exploit takes to execute is of much more relevance than how much time it took for the exploit to be developed. The headline may be sensationalistic but it delivers the single most relevant point for anyone who is not the person writing the exploit. It only takes 5 seconds for a drive by.
Come to think of it, this paper analogy supports my argument more. A paper is usually the culmination of years and months of work. The actual transmission of the idea doesn't take that much time. The point is that I want to take all of my data and/or experience and transmit it as clearly and concisely as possible. X intervention works better than Y in Z circumstance. If I'm in a circumstance where I can't transmit the salient points of my research to my colleagues in 30 seconds or less, then my idea needs more work.
Agreed. Why should they work for free?
People saying these devs should work out of the goodness of their heart... should fire fighters also work for free? Should the police work for free? Do they not deserve to earn a living too?
It's ridiculous that Apple expects them to work for free and shows how little Apple really cares about the security of its system that it isn't even worth it to "hire" people to make sure its system is secure.
Vulnerabilities that have some value in relation to exploitation in the wild are purchased by the Zero Day Initiative which hosts the pwn2own contest.
ZDI further researches the vulnerabilities for products (http://h17007.www1.hp.com/us/en/products/network-security/index.aspx) and services that they sell then reports the vulns to the vendors for patching.
I guess researchers want to cut out the middle man and sell the vulns to the vendors directly.
Not to mention that these people are sitting on these exploits for who knows how long, it doesn't work like that in the Windows world, most of these exploits are already out in the wild tearing up peoples' ****.
http://www.computerworld.com/s/article/9214022/Google_s_Chrome_untouched_at_Pwn2Own_hack_match
Apparently, Chrome has gone three years in a row without anyone being able to hack it at this event. IE8 was hacked using some complicated sounding method.
Firefox gets tested on Friday, along with the browsers on iOS, Android, Blackberry OS, and Windows Phone 7.
Anyone care to bet which mobile browser will fail first?
iPhone and Blackberry were both exploited today. First is unimportant given that the devices are not hacked at the same time but one at a time following a predetermined schedule.
Supposedly, the hacker going after Android had a working exploit but thought that it did not qualify for the rules of pwn2own so reported the vuln to Google and the vuln was subsequently patched. Seems kind of bogus given that Android devices using non-default UI, such as the Sense UI, are still running older versions of Android.
Blackberries now have a full web browser and that is why the device was hacked this year. Blackberries also have no other security mitigations, such as DEP, ASLR, or code signing. Now that the Blackberry attack surface has been broadened with a full web browser, more blackberry exploits will show up but not necessarily in the wild given that tools that aid exploit development do not exist for Blackberry. It should be noted, the new OS for the Blackberry Playbook and future smartphones is based on QNX.
Last edited:
Stupid eye catching report
"Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN"
You basically know that this statement is totally wrong and that you hope (and actually succeeded) to attract a flame war in your forum for the sake of increasing the number of page hits on your site.
If you would do your work with a minimum of professionalism, you would have stressed (and not rely on zdnet report) that it took three researchers to implement a working exploit. That is a long time and it shows that it is not easy in our days to get a working exploit. You should have reported that they needed to bypass the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) technics that Mac OS X uses for protection which by the nature of Safari being 64 bits required developing tools and attack code from scratch (known technics to bypass those protection mechanisms does not work in 64 bits). Instead of writing basically useless report, you should have understood that exploiting a flaw is not easy and that the operating system makes it more difficult.
You make it sound like a guy showed up and pulled out of his hat a working exploit ready to use in five seconds. This is of course non sense, no one can exploit a Safari security hole in five seconds as you say in your report title. Again it took three men (PAID to do that, this is very important to remember that) and two weeks to implement an exploit. Once it is ready, the context of the challenge makes it easy to demonstrate it, the researchers just go to a web page that they have already prepared. It is a matter of clicking a link.
You should also have reported that IE 8 was also exploited at basically the same time and in also " 5 seconds" as you say. But we know that it took 5-6 weeks for ONE researcher to implement the exploit, he even could escape IE 8 sandbox. So same thing, it takes time to get an exploit working, this is not something that one can pull out of the ass.
Chrome was not attacked, no one is showing up. But I really don't think that it is because no one can take it down. The exploit of IE 8 shows that it is possible to escape from the sandbox, there is always someone who can because they are PAID to find flaws in software. I just think that some money is flying around so that no one is actually showing for Chrome. And even if it is not the case, Google patched a lot of security holes a fews days ago just before the context (some of them allowed to bypass the sandbox), that means that the browser has and will continue to have security holes as any other browser.
"Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN"
You basically know that this statement is totally wrong and that you hope (and actually succeeded) to attract a flame war in your forum for the sake of increasing the number of page hits on your site.
If you would do your work with a minimum of professionalism, you would have stressed (and not rely on zdnet report) that it took three researchers to implement a working exploit. That is a long time and it shows that it is not easy in our days to get a working exploit. You should have reported that they needed to bypass the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) technics that Mac OS X uses for protection which by the nature of Safari being 64 bits required developing tools and attack code from scratch (known technics to bypass those protection mechanisms does not work in 64 bits). Instead of writing basically useless report, you should have understood that exploiting a flaw is not easy and that the operating system makes it more difficult.
You make it sound like a guy showed up and pulled out of his hat a working exploit ready to use in five seconds. This is of course non sense, no one can exploit a Safari security hole in five seconds as you say in your report title. Again it took three men (PAID to do that, this is very important to remember that) and two weeks to implement an exploit. Once it is ready, the context of the challenge makes it easy to demonstrate it, the researchers just go to a web page that they have already prepared. It is a matter of clicking a link.
You should also have reported that IE 8 was also exploited at basically the same time and in also " 5 seconds" as you say. But we know that it took 5-6 weeks for ONE researcher to implement the exploit, he even could escape IE 8 sandbox. So same thing, it takes time to get an exploit working, this is not something that one can pull out of the ass.
Chrome was not attacked, no one is showing up. But I really don't think that it is because no one can take it down. The exploit of IE 8 shows that it is possible to escape from the sandbox, there is always someone who can because they are PAID to find flaws in software. I just think that some money is flying around so that no one is actually showing for Chrome. And even if it is not the case, Google patched a lot of security holes a fews days ago just before the context (some of them allowed to bypass the sandbox), that means that the browser has and will continue to have security holes as any other browser.
"Supposedly, the hacker going after Android had a working exploit but thought that it did not qualify for the rules of pwn2own so reported the vuln to Google and the vuln was subsequently patched. Seems kind of bogus given that Android devices using non-default UI, such as the Sense UI, are still running older versions of Android."
Ok so no one attacks Chrome, no one attacks Android, a guy suddenly thought that he does not qualify for the rules and gives everything to Google, what a hell?
Ok so no one attacks Chrome, no one attacks Android, a guy suddenly thought that he does not qualify for the rules and gives everything to Google, what a hell?
its much more valuable and worthwhile to give your exploit over to the developers in exchange for a mac. Because they WANT a mac.
But with the PC side of things, its more profitable to use your exploit for ...other uses
seems the contest the sponsors heard they could lose. That couldnt possible happen.