Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN

[PhantomPumpkin]

Perhaps it took five seconds to implement, but it's not like it was the first time these hackers saw a MBA and Safari.

I'm sure there were dozens or hundreds of hours worth of research and coding in order for these guys to get to the point of being able to implement their hack.


I remain unconcerned.

2-3 weeks of set up it said. Still, 2-3 weeks is an eternity of time for how slow some things get patched. It was also just starting a calculator...an already existing program, but it'd be a big loophole for trojans, or even other non-secured programs that contain important data.

Theoretically it could be used to open important documents already on the machine.

 

[adbe]

Apple fixed this bug before the contest but Pwn2Own ran an unpatched, unfixed version of Safari with a known bug. Big deal. Why not install Windows 95 on the Dell, and Red Hat 2 on the HP to make the contest really up to date?

That's a deliberately false reading of the truth. The versions were locked a week or so prior to the event. If Apple had release its bi-yearly security patch for Safari just a couple of days earlier, the exploit would have failed.

The question then surely is why it took Apple so long to release a Safari update when they know a code execution exploit exists?

 

[Surely]

So because it took 2 weeks to discover the hole and find an exploit it?

If your Mac ever gets hijacked in an instant because you were linked to a certain website you can take solace in the fact the exploit took a few weeks to write.

Saying that it took these guys 5 seconds to hack Safari is disingenuous.

That was my point.

It's like saying it took me 60 seconds to write a 20 page paper because that's how long it took to print.

 

[jesaja]

I don't understand why Apple doesn't pay prizes for finding security holes… they have ****in' 50 billion in the bank, spending a little of that to make their OS the most secure should be a no-brainer IMHO

 

[PhantomPumpkin]

Source?

I think it was better preparation on the Safari hacker's side versus the IE side. Correct me if I'm wrong, but isn't it more of a browser exploit, not necessarily OS specific? You can run IE on multiple OS's, same with Safari, Chrome and Firefox.

I could be completely wrong, as I haven't delved into how the contest is set up.

 

[PhantomPumpkin]

I think Steve has realised that since the move to Intel the Mac has become a target since due to the past Mac doesn't get viruses Windows does moniker, Lion will be focused now on limiting the use of such backdoors.

Im not to bothered in the security hole with Lion as if i don't trust the site i won't get lured there thats the only reason for viruses backdoors etc working

Human error not machine or OS failure is the key

Hence Java removal from Lion?

 

[critter13]

safari vs chrome

so if the vulnerability is in webkit, how did Chrome fair so well against Safari since they both run webkit? Granted they are probably different implementations but it sounds like they didn't even go near Chrome cause it was so secure. I am a big fan of both browsers, I prefer Safari but that is mostly out of habit. If Chrome is really that much more secure then I will definitely switch. Any insight?

 

[un.titled]

Let's see some originality. It's always the same old safari/IE "have to go to some website and click around vulnerability". I want to see them hack OS X without using Safari. Oh, and instead of launching a calculator, I want them to erase the HDD.

 

[ferrous]

I guess my Mac's are not that safe anymore

 

[PhantomPumpkin]

Apple fixed this bug before the contest but Pwn2Own ran an unpatched, unfixed version of Safari with a known bug. Big deal. Why not install Windows 95 on the Dell, and Red Hat 2 on the HP to make the contest really up to date?

Actually that isn't 100% accurate. In order to be paid the money, the exploit must have been one not fixed by the most recent 62 bug fix update.

I believe this was one not fixed by the update, although feel free to link to a source if I'm not correct on this.

They froze all the devices 2 weeks out, so they were older versions for 3/4(IE was not updated before the contest) browsers out there, unless the updates happened previous to 2 weeks out.

 

[adbe]

Really? You find a hole - you report it.

If I've just spent two weeks solid finding a security hole in your software, I expect to get paid. It's your software, you should be doing that job, not me.

What's stupid about that?

Your analogy was stupid. You compared a zero effort action like witnessing a crime in progress, to an extensive and labour intensive research process.

 

[PhantomPumpkin]

so if the vulnerability is in webkit, how did Chrome fair so well against Safari since they both run webkit? Granted they are probably different implementations but it sounds like they didn't even go near Chrome cause it was so secure. I am a big fan of both browsers, I prefer Safari but that is mostly out of habit. If Chrome is really that much more secure then I will definitely switch. Any insight?

I don't believe they said, but other than no one trying Chrome, it also runs it's own sandbox. That may have been the breaking point between the two, although IE's sandbox was broken yesterday.

 

[sciwizam]

I think it was better preparation on the Safari hacker's side versus the IE side. Correct me if I'm wrong, but isn't it more of a browser exploit, not necessarily OS specific? You can run IE on multiple OS's, same with Safari, Chrome and Firefox.

I could be completely wrong, as I haven't delved into how the contest is set up.

The IE guy was also prepared.

http://www.zdnet.com/blog/security/...indows-7-hijacked-with-3-vulnerabilities/8367

Fewer said it took about five to six weeks to find the vulnerabilities and write a reliable exploit. ”Writing the exploit was the tricky part. It was very time consuming, especially bypassing protected mode,” he added.

 

[Grouchy Bob]

Simple solution...

...just delete your calculator.app

 

[Dr McKay]

Where does that article state that it took 20 minutes for them to hijack Windows?

Apologies, I am mistaken on this,

My original source which I can't remember was quoted 'Windows 7 fell 20 minutes later'

Which I guess I took the wrong way.

I'll rephrase it that Windows lasted longer because of the need to successfully hit and link 3 exploits together before the security was bypassed.

 

[deputy_doofy]

Where does that article state that it took 20 minutes for them to hijack Windows?

Yeah... I don't see it either. I searched for minutes and the first hit was in the comments section.

 

[Žalgiris]

Your analogy was stupid.

My analogy was based on a hope that people have higher moral standarts than this.

You compared a zero effort action like witnessing a crime in progress, to an extensive and labour intensive research process.

Yeah extensive and intessive aimed at getting money not securing software for the good of all people.

 

[PhantomPumpkin]

The IE guy was also prepared.

http://www.zdnet.com/blog/security/...indows-7-hijacked-with-3-vulnerabilities/8367

My mistake. I'll most likely give credit to the sandbox, forcing him to use multiple exploits to obtain the end result.

 

[PhantomPumpkin]

Let's see some originality. It's always the same old safari/IE "have to go to some website and click around vulnerability". I want to see them hack OS X without using Safari. Oh, and instead of launching a calculator, I want them to erase the HDD.

This contest isn't for that. It's to show where the hole exists. It'll take more than just this exploit to run some malicious code on OSX, again that's where the majority of the security happens with Macs, not on the browser level(browsers aren't even OS specific, what's on the Mac's vulnerability list may be on Windows as well).

Making sure to use the built in security features of OS X will keep this from literally doing more than what it did. Although it can allow them to run anything that's not secured on the machine. They opened a calculator, but they could open other programs/files and use them. The point I think you're getting it at is this hole doesn't seem to be able to be used to install anything dangerous.

I really do recommend the Mac Hacker's Handbook, by the guys who won this thing repeatedly over the years.

 

[NightFox]

I despair at all the people who think that 'I never visit dodgy web sites' is enough of a defence. So you've NEVER Googled a problem and clicked on the link Google provided? You've never clicked on a link someone's given in these forums? And those sites you do consider 'safe' - how secure are they from being hacked? And even if they're secure, do they carry ads? How secure are the servers of the ad-supply company?

I recently had to clean a Windows laptop beginning to my sister-in-law. I was convinced that it was her kids using P2P file sharing like it has been every other time I've done it, but she assured me that they hadn't been, and her IE history showed only household-name shopping sites, and then I spotted this:

http://www.bbc.co.uk/news/technology-12608651

London Stock Exchange, eBay, Auto Trader, VUE cinemas... I don't think those would be classed as dodgy sites (even eBay)

P.S. I hope you didn't actually click on the link I provided above.

 

[syc23]

Maybe Google paid off the dude off who could hack Chrome.. or had him killed..

Quite amusing when I logged on just now and saw this article using Chrome and the first thing it bloody did was crash

 

[Rodimus Prime]

so if the vulnerability is in webkit, how did Chrome fair so well against Safari since they both run webkit? Granted they are probably different implementations but it sounds like they didn't even go near Chrome cause it was so secure. I am a big fan of both browsers, I prefer Safari but that is mostly out of habit. If Chrome is really that much more secure then I will definitely switch. Any insight?

Umm you answered your own question.
Just because it is Webkit does not mean you do not have to do other things to break out of the browser.

What hole might work on Safari will not work on Chrome. Even if they are using the same Webkit hole.

 

[adbe]

My analogy was based on a hope that people have higher moral standarts than this.



Yeah extensive and intessive aimed at getting money not securing software for the good of all people.

To follow your crime analogy then, we shouldn't be paying the police, 'cos protecting the public should be reward enough that food for their families is a sign of unethical greed.

 

[Daveoc64]

so if the vulnerability is in webkit, how did Chrome fair so well against Safari since they both run webkit? Granted they are probably different implementations but it sounds like they didn't even go near Chrome cause it was so secure. I am a big fan of both browsers, I prefer Safari but that is mostly out of habit. If Chrome is really that much more secure then I will definitely switch. Any insight?

I'd assume that the sandbox in Chrome helped.

The exploit might work in Chrome, but the sandbox might stop you doing anything too serious with it.

 

[tigress666]

So, I want to know, what about Firefox? Apparently Chrome is safe. I read one article that mentioned all the browsers but Firefox (how Chrome had no one hacking it and IE and Safari proved to be unsafe, but no mention of Firefox).

Also, I see people saying it's about time Apple takes security seriously... except I see nothing in this story about Apple doing anything about it!!! And I see several people commenting that every year they are the first to be hacked... that doesn't say to me they are taking it seriously. If they are, shouldn't they have done something about it by now?