Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN

[MonkeySee....]

There is a guy at work here who will definitely send me the link about this (having not read the whole thing) as he absolutely loves it when these stories come out.

It really is tiresome setting him straight.

 

[adbe]

The exploit itself took five seconds, but all the preparations and knowledge behind it took more than five seconds. At minimum it took them 1-2 days of nonstop work.

Which is true of nearly all exploits, and is beside the point. If people are looking to break into a Mac using Safari, they're going to be able to do it, and you the user would be unaware when they've been successful.

The key thing is that Snow Leopard still has some serious short comings when it comes to security, and in this area Apple are lagging.

Also, it took a malicious website to crack in. In other words, be a safe user and don't visit dodgy websites.

Or visit websites that show banner ads as they can be used to execute exploits, or don't visit websites that have been compromised, or ...

You have no a-priori knowledge that a site is clean until after you have already visited, and then only if you audit what the site delivered. Otherwise you're just living in denial.

Yes, this is true for all OSs. No, OSX 10.6 is *not* as secure as newer Linux distros or Win7.

 

[mygoldens]

PC it is.

I guess I will have to stick with my PC for work.

 

[Rodimus Prime]

We go through this every year.

Here comes all the trolls to chime in!

really. I more see post like as blind fanboys putting their head in the sand and screaming NOT HAPPENING.

How many years in a row is this that OSX is the first to fall.
I will say I am glad Apple is starting to wise up and reach out to Devs and groups like this for Lion. It seems Apple has finally figured out that its "security by obscurity" is going to start failing in soon and they are taking what time they have left to really clean itself up.
Reason "security by obscurity" is going to start failing is Apple is becoming more popular gaining market share and it knows is iOS is going to start being targeted in larger numbers which could have a direct effect on OSX being targeted.

 

[mrblack927]

That's it. Mac isn't obscure enough anymore. Time to switch to Linux.

 

[tatonka]

Wait .. why does the calculator keep poping up while I type?

T.

 

[dejo]

How many years in a row is this that OSX is the first to fall.

Probably doesn't help when OS X is the first to be tested...

 

[0815]

I think Steve has realised that since the move to Intel the Mac has become a target since due to the past Mac doesn't get viruses Windows does moniker, Lion will be focused now on limiting the use of such backdoors.

Im not to bothered in the security hole with Lion as if i don't trust the site i won't get lured there thats the only reason for viruses backdoors etc working

Human error not machine or OS failure is the key

What does the switch to Intel has to do with Viruses? Windows Viruses still won't run under MacOS since they are written for Windows. A virus is usually written to target a specific OS (exception MS Word Macro Virus, but not sure how much harm they could do on a Mac). Don't think there is an 'intel-chip' virus that works independent from the OS.


Anyway: It good that they look into finding security wholes - that will make Apple fix stuff and it will be fixed before others write maleware to exploit it.

 

[adbe]

Reason "security by obscurity" is going to start failing is Apple is becoming more popular gaining market share and it knows is iOS is going to start being targeted in larger numbers which could have a direct effect on OSX being targeted.

Security by obscurity is not descriptive of market share. You're misusing the term.

Since OSX is heavily built around open source code, a more appropriate term would be security through inconsequence.

 

[profets]

More info here

http://www.engadget.com/2011/03/10/safari-and-ie8-get-shamed-at-pwn2own-chrome-still-safe-for-n/

Looks like Chrome escaped...

 

[slicecom]

Rated positive for Canada.

 

[0815]

There is a guy at work here who will definitely send me the link about this (having not read the whole thing) as he absolutely loves it when these stories come out.

It really is tiresome setting him straight.

I guess we all have those guys at work - I just got that email ...

 

[Žalgiris]

, you completely miss the point of PWN2OWN.

Which is media coverage and sitting on a security hole for months in order to get money instead of reporting it. Pathetis if you ask me.

 

[adbe]

Anyway: It good that they look into finding security wholes - that will make Apple fix stuff

Yes.

and it will be fixed before others write maleware to exploit it.

No. Apple need to be much faster about pushing security patches. Bloody iTunes seems to get an update every couple of weeks or so. Safari can sit with known security holes for months at a time.

Apple need to be pushing security updates on at least a bi-weekly basis.

 

[z3r0]

I wonder how much this has to do with the switch to the X86/X86_64 ISA versus say the PPC ISA: http://www.techrepublic.com/article/will-apples-switch-to-intel-processors-mean-less-secure-macs/6039377

I think Steve has realised that since the move to Intel the Mac has become a target since due to the past Mac doesn't get viruses Windows does moniker, Lion will be focused now on limiting the use of such backdoors.

Im not to bothered in the security hole with Lion as if i don't trust the site i won't get lured there thats the only reason for viruses backdoors etc working

Human error not machine or OS failure is the key

 

[adbe]

Which is media coverage and sitting on a security hole for months in order to get money instead of reporting it. Pathetis if you ask me.

Why should they work for free? Do you? There's far less savoury ways they could be profiting from their skill-set, and rather handsomely too.

 

[KnightWRX]

Most people want to hack Macs first at this event, because you win the computer you did the hack on. Dell and HP machines are less popular to hack first.

That's blatantly untrue. The first one to hack a computer gets 15,000$ and that computer. If the Dell or HP was easier to heck, you'd be a darned fool to go after the Mac. Let's see, a 2000$ computer, or 15,000$ and a 2000$ computer... hum... Hey, let's not hack the easiest one and go for the Mac!

The reason people hack Macs first has no link whatsoever to trying to own a Mac. You can buy many MBAs or whatever they had this year with the 15,000$ you win if you're simply first.

 

[Phil A.]

The only mitigating factor in this is that it doesn't include privilege elevation. That's not to say it's good that Safari has such a gaping hole in it, but at least the underlying OS provides some protection once you've been compromised.

It's another reason not to have admin rights on your normal login (although I'm not sure how many people actually follow that basic advice)

 

[millerb7]

How did Firefox and Chrome do?

Chrome was the winner... again. 3rd year in a row I believe (which is a new record). It has not be hacked. Google offered $20,000 to anybody who could hack it this year.

There was only ONE person brave enough to try Chrome this year, and he ended up being a no-show (rumor has it google had him assassinated).

But yeah, Chrome is (according to PWN2OWN) the safest, while safari fails.

 

[Žalgiris]

Why should they work for free? Do you? There's far less savoury ways they could be profiting from their skill-set, and rather handsomely too.

So yeah if i see someone stealing something the first thing i ask when i call police is how much can i get? Stop joking.

 

[adbe]

I wonder how much this has to do with the switch to the X86/X86_64 ISA versus say the PPC ISA:

I think it's pure market share personally. Grey hats are going after OSX cos it makes news now. Black hats will follow the dollars. Why ignore 10% of the US market, especially if that 10% is looking increasingly like low hanging fruit?

 

[jayducharme]

Looks like Chrome escaped...

Only because no one took the challenge.

One individual didn't show up and a second entry, known as Team Anon, decided to focus their efforts elsewhere.

I don't see how that's a win for Chrome.

 

[Popeye206]

really. I more see post like as blind fanboys putting their head in the sand and screaming NOT HAPPENING.

How many years in a row is this that OSX is the first to fall.
I will say I am glad Apple is starting to wise up and reach out to Devs and groups like this for Lion. It seems Apple has finally figured out that its "security by obscurity" is going to start failing in soon and they are taking what time they have left to really clean itself up.
Reason "security by obscurity" is going to start failing is Apple is becoming more popular gaining market share and it knows is iOS is going to start being targeted in larger numbers which could have a direct effect on OSX being targeted.

My head is far from in the sand Rodimus. I'm glad to see Apple working on avoiding the issues that have been around forever with viruses on PCs.... but like it or not, we're still virus free on the Mac and I don't think "Apple just figured it out" otherwise we'd be toast already.

 

[KnightWRX]

But yeah, Chrome is (according to PWN2OWN) the safest, while webkit fails.

I think you meant while Safari fails. Chrome uses Webkit too.

 

[adbe]

So yeah if i see someone stealing something the first thing i ask when i call police is how much can i get? Stop joking.

Your analogy is stupid. Either you have no concept of how skilled these guys are, or you're too blinkered to think straight.