I don't think that construction of the exploit affected the time to execute it. From that article:
Immediately? I know it's Windows but...
Apple Releases Safari 5.0.4
Apple Taps Cybersecurity Expert as Director of Global Security
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN
- Thread starter camelsnot
- Start date
- Sort by reaction score
Apple Taps Cybersecurity Expert as Director of Global Security
I'd go for the Dell - can't resist such a sexy non-descript blackish plastic creaky box that looks like every other craptop out there. Scrummy
I don't think that construction of the exploit affected the time to execute it. From that article:
Immediately? I know it's Windows but...
Ok you got me, but you can't argue that it took more effort and planning to break into Windows.
And that's a pretty crummy low blow at Windows, mine is snappy and does what I ask of it. Not like the Mac Pros I used to use that would Kernel Panic half the time at being asked to render video or import photos into Final Cut.
Well, it's not about "being the first to fall" as much as "falling within 5 seconds" if you ask me...
There are some clear signs that Apple *are* starting to take security seriously. It'll just take them a long time to ramp up to a point where that's visible.
MS got the message within the first few years of XP, and whilst XP made great strides towards security, you can't just patch an insecure model. As such it was Vista before the fruits of some serious labour started to become apparent.
Apple have been nudging OSX towards more modern security models, and they've benefitted from the Unix underpinnings. There are also signs that at the corporate level they're actually starting to focus properly on security. THey may be lucky and get to where they need to be before bad things start to happen. Luck isn't much of a strategy though.
FWIW, iOS is driving some of this new-found awareness, 'cos there security costs them materially. Jailbreaking can only happen if iOS is basically insecure at some level. The more secure the OS, the harder it becomes to jail break.
No, I won't argue with you there.
I just wish someone would report when each and every test began and how long it took to hijack.
Sorry, I was just joking. Windows 7 is quite capable. Immediately should be significantly faster than 20 minutes is what I was trying to imply.
Last edited:
I have no idea if this is total crap, but someone on another forum was saying that Chrome uses a more up to date Webkit than Safari.
Don't know if that holds any truth though.
Sure but exploits are not something the hackers will do live, you must set-up a trap first (compromise a Website, lure the user, etc.) But the point of the competition is: (with the prepared set-up) gaining control of the machine. And that was done within 5 seconds (taking control, that is).
Yeah, it only took them three months to update Java. That's much faster than it used to be
Why? Google are free to modify the web-kit engine. The bug may relate only to certain OSX services exposed through the Mac version of Safari. The faulty code may exist in both browsers, but a slightly more secure model upstream stops it from propagating upwards in Chrome.
no it does not. The same hole in webkit on different browsers does not mean it will let you get out of the browsers sand box. Chrome could easily have sandbox it better so a given hole still leaves you trapped in the sandbox.
I don't think that construction of the exploit affected the time to execute it. From that article:
Immediately? I know it's Windows but...
Apple Releases Safari 5.0.4
Apple Taps Cybersecurity Expert as Director of Global Security
No it may not affect the time to execute it, but the 3 exploits he had to use definitely did. Generally takes longer to execute 3 than 1. I stand by my sandbox point.
+ 1
Safari 5.x = Crap (Safari has also too many permissions, e.g. safari is able to start other programs), in terms of security.
-> listen to Dai Zovi and Charles Miller
Yeah, it only took them three months to update Java. That's much faster than it used to be
And after that Herculean task they realized they could take no more of it, and palmed Java off onto the community.
Žalgiris;12106926 said:
That analogy is off. A more accurate one would be if a store owner expected customers to install a security system where they shop in case of a crime. The point is, it's apple's responsibility to plug their own security holes, and if they can't find them, they need to pay someone else to find them.
Not in the least. They don't use the exact same iteration of Webkit.
Same goes with different hardware bases too. PPC hacks aren't guaranteed to work on the x86 platform...discussed more in depth in Mac Hacker's Handbook if you really want to read up on it.
Chrome also uses a Sandbox, which I fully support Apple adding to Safari.
This thread is long on crappy analagies and short on facts.
1. OS X with Safari 5.0.3 was hacked in 8 seconds by an exploit that took a multi-person team 2 weeks to prepare.
2. Windows 7 with IE8 was hacked by a one-man team whose exploit took several minutes.
3. Safari has been patched before the contest was over and the exploit no longer works.
4. Microsoft is releasing IE9 on Monday (not sure if it fixes the exploits).
So, Google sponsors a hacking event, and they release a huge update to their browser, and then "freeze" the versions, so hackers have to attack old versions of competitors browsers, but a brand new version of their browser. Pretty transparent.
These events should not be fodder for petty flame wars.
1. OS X with Safari 5.0.3 was hacked in 8 seconds by an exploit that took a multi-person team 2 weeks to prepare.
2. Windows 7 with IE8 was hacked by a one-man team whose exploit took several minutes.
3. Safari has been patched before the contest was over and the exploit no longer works.
4. Microsoft is releasing IE9 on Monday (not sure if it fixes the exploits).
So, Google sponsors a hacking event, and they release a huge update to their browser, and then "freeze" the versions, so hackers have to attack old versions of competitors browsers, but a brand new version of their browser. Pretty transparent.
These events should not be fodder for petty flame wars.
Generally? Perhaps. When grossly over-generalizing. I'm not concerned with "generally". I'm concerned with "in this very instance".
This should come to the surprise of no one. Safari has always been pretty behind as far as security goes. I love the browser, but even I understand this.
Google Chrome's multi-process architecture + sandboxing helps a lot.
Use Chrome if you want to be more secure.
pish posh. what are they gonna do, torture me by making me watch them run some caclulations on my calculator.app?!
No, but they can probably delete files they want, or if they successfully saved a file, they can easily have a small file that they execute instead of calculator that downloads nicer apps that log your keys, your password, credit card numbers, anything else worth logging or popping up annoying ads so they can get paid for clickthroughs while you sit and feel safe and proud on your shiny new apple laptop. Just as long as the calculator doesn't run.
I love and use apple (shiny new mac pro
, but they need to actively find holes and fix them.