Researchers Exploit Safari Security Hole in Five Seconds at PWN2OWN

[zombiedictator]

The browser are not hacked all at once but one at a time with Safari being the first on the schedule. This is true in past pwn2own contests (including last year) as well.

I understand that. I understand that people are using "ZMG SAFARI FIRST TO DIEEEEEEEEE" headlines to get traffic, but people are falling left and right for this flamebait. If they all went at the same exact time and Safari was the last to get owned after 8 seconds, does that somehow make Safari more secure? Of course not.

Maybe people should stop taking the bait and just admit that Apple needs to focus more on security and this is further proof of that.

 

[mark28]

If every other browser was hacked before Safari, does that make Safari safer? Am I just missing something, or is everyone here totally missing the point?

But last year Safari was also the big looser. I think Chrome is much safer imo.

Last year the excuse was that the guy was some super expert. Now it's because it was a team that spent 2 weeks of preparation. What excuse will be next year?

 

[ksgant]

The cognitive dissonance here is ASTOUNDING. The very article you link contradicts exactly what you said a few lines later:



The vulnerability they exploited could be used to RIGHT NOW ON A FULLY PATCHED HOST.

As someone who works in security, I'm torn: I'm disappointed that people are still so fantastically oblivious and stupid when it comes to security. But on the flip side, I get paid to protect you from yourself.

And yet, they didn't use the new patch. Okay, the exploited a flaw that wasn't addressed in the patch...but you seem to be missing the point with these arbitrary rules. WE GET IT, the vulnerability they exploited could be used on a fully patched host. Fine...but wasn't commenting on that. I was commenting on Google allowing it's browser to be patched...but wasn't even put up for the contest because the guy didn't show up. And "freezing" the others. But as you say, it wouldn't have mattered.

But I love your attitude. It's the same type of attitude that HBGary had....right before they were totally embarrassed. On the flip side, we love reading articles of hubris coming back to bite someone. And yes, that includes people thinking they're "safe".

 

[ghostlyorb]

5 seconds.. and chrome no one will even touch to try to hack.. yikes

 

[PhantomPumpkin]

6 weeks was put into internet explorer. You think the other hackers put no effort in hacking the others?

Google even promised to pay $20.000 to any hacker that can hack Chrome on the first day.

Yes but a finite number of people get a chance. In a pre-determined order.

The #2 team wanted to focus on something they thought was easier I'm guessing.

If it was open to ANYONE, then they might have had someone crack it day 1.

 

[munkery]

I understand that. I understand that people are using "ZMG SAFARI FIRST TO DIEEEEEEEEE" headlines to get traffic, but people are falling left and right for this flamebait. If they all went at the same exact time and Safari was the last to get owned after 8 seconds, does that somehow make Safari more secure? Of course not.

Maybe people should stop taking the bait and just admit that Apple needs to focus more on security and this is further proof of that.

They are taking security seriously. When a privilege escalation vulnerability (rarely occurs in OS X) shows up for OS X, roughly 2/3 of the time the vuln is found and patched by Apple before it is released to the public. The other 1/3 are found by researchers and reported to apple to be patched before released to public. Very rare any are public and unpatched.

Browser exploitation does not include privilege escalation to the system level that allows the install of malicious software. Technically, a sandbox escape of a web browser is a type of privilege escalation to gain user level access but not system level access. In this regard, the unix DAC model in OS X is a sandbox to protect the system level from user access.

Webkit2 is Apples initiative to secure Safari using a sandbox model similar to Chrome.

I am stating that Apple is taking security seriously and that fact is apparent if you look at what Apple is doing without bias.

 

[Ubuntu]

Perhaps it took five seconds to implement, but it's not like it was the first time these hackers saw a MBA and Safari.

I'm sure there were dozens or hundreds of hours worth of research and coding in order for these guys to get to the point of being able to implement their hack.


I remain unconcerned.

Well it did state that they had worked on it beforehand. The concern is that with prior knowledge it can take someone only five seconds to exploit the browser's security. So I think you missed the point a bit.

 

[aarond12]

These contents are nothing to worry about. It took them 2 weeks to find an exploit in an open-source WebKit-based browser. That's not bad. I found an exploit in an open-source web application in a matter of minutes, which I used to embarrass the webmasters of a commercial site.

The reason code is open-sourced is to find these kinds of exploits and close the door. For people to make competitions of this is pretty lame.

What's worse is the competitions, like in 2007 (mentioned above), where the "hackers" had access to the physical computer. I can exploit ANY computer if I have physical access to it!

I even had to "hack" my MacBook Pro on an overseas flight, right after 10.5 came out, which had a bug causing Administrator-level logins to be demoted to Standard User-level logins. Even though I had no Internet access or tools to open the computer, I was able to promote my access and re-promote the accounts that were demoted. How? I had physical access to the computer. (No, I'm not going to describe the exploit I discovered, but if you look at my sig, you'll understand.)

 

[ksgant]

Maybe people should stop taking the bait and just admit that Apple needs to focus more on security and this is further proof of that.

Guess them recently hiring former NSA and U.S. Navy expert David Rice to be its director of global security isn't enough? Or should they have hired you? You seem pretty confident in your abilities since you "save" us all the time.

Of course, Rice hasn't started yet. But the NSA, do they know anything about security? Dunno...

 

[Surely]

Well it did state that they had worked on it beforehand. The concern is that with prior knowledge it can take someone only five seconds to exploit the browser's security. So I think you missed the point a bit.

No, I really didn't.

For reals.

 

[mcmlxix]

In these exercises, they have root access, right? If so, all I can say is...and?

 

[Daveoc64]

Guess them recently hiring former NSA and U.S. Navy expert David Rice to be its director of global security isn't enough? Or should they have hired you? You seem pretty confident in your abilities since you "save" us all the time.

Of course, Rice hasn't started yet. But the NSA, do they know anything about security? Dunno...

They could hire all of the security people in the world and it wouldn't make a difference.

Apple has an poor attitude towards releasing updates to fix security problems with its software.

 

[zombiedictator]

And yet, they didn't use the new patch. Okay, the exploited a flaw that wasn't addressed in the patch...but you seem to be missing the point with these arbitrary rules.

Who cares about the rules?

I have a question. Could the version of Safari you are running on your Mac right now be compromised by this exploit?

Okay, the rules are stupid. AFAIK, these things ought to be confirmed to be fully patched immediately before the contest starts by an independent auditor. But the point of the contest to is to showcase vulnerabilities. I admit, more of the focus has moved towards petty vendor showboating, so it seems, but if every vendor has a bad year and their stuff all gets broken into immediately, they're all screwed.

We, as the users, should stop arguing the semantics of the how/when/what/where and focus exclusively on the simple fact that the version of browser you might be using right now could be attacked.

WE GET IT, the vulnerability they exploited could be used on a fully patched host.

You get it now, after multiple pages of multiple people saying "OMG IT WASN'T PATCHED HOW IS THIS FAIR", ignoring the fact that if it was patched it wouldn't have mattered.

But I love your attitude. It's the same type of attitude that HBGary had....right before they were totally embarrassed. On the flip side, we love reading articles of hubris coming back to bite someone.

Reading slashdot doesn't keep you in tune with the security community.

 

[munkery]

In these exercises, they have root access, right? If so, all I can say is...and?

They don't achieve root access. Only user level access.

 

[PhantomPumpkin]

Who cares about the rules?

I have a question. Could the version of Safari you are running on your Mac right now be compromised by this exploit?

Okay, the rules are stupid. AFAIK, these things ought to be confirmed to be fully patched immediately before the contest starts by an independent auditor. But the point of the contest to is to showcase vulnerabilities. I admit, more of the focus has moved towards petty vendor showboating, so it seems, but if every vendor has a bad year and their stuff all gets broken into immediately, they're all screwed.

We, as the users, should stop arguing the semantics of the how/when/what/where and focus exclusively on the simple fact that the version of browser you might be using right now could be attacked.



You get it now, after multiple pages of multiple people saying "OMG IT WASN'T PATCHED HOW IS THIS FAIR", ignoring the fact that if it was patched it wouldn't have mattered.



Reading slashdot doesn't keep you in tune with the security community.

While I agree with you mostly, my issue with this exploit is simple. Can someone actually do something more than open a program you already have installed with it? Can this exploit be used to install malicious software? While being able to run programs remotely has some potential security risks, opening a calculator app is a bit different from installing remote control software on the device. OS X's security features would need to be bypassed as well, not just Safari, for this to occur.

They don't achieve root access. Only user level access.

Which makes anything malicious a bit tougher.

 

[Westside guy]

How did Firefox and Chrome do?

The Chrome hacker didn't show up. The problem is Chrome has in-app patching, so unlike with Apple (Safari) and Microsoft (IE) the last-minute patches were allowed to be applied. Apparently the exploit the Chrome guy was going to use was mitigated by one of those patches.

 

[fabianjj]

Yeah, that's it.

I see you've taken your show outside of PRSI.

I'll say it again: Saying that it took 5 seconds to hack Safari is like saying it took me 60 seconds to write a 20 page paper because that's how long it took to print.

I'm not doubting that Safari has vulnerabilities......I just think it's disingenuous to say it took 5 seconds to hack.

But as long as the security flaw is not patched it can be used to exploit new machines every five seconds (well probably more, I'm not very well read into how these hackers operate).

The analogy would be correct if the whole point of the paper would be making money off of printing out as many copies as possible.

 

[ksgant]

Reading slashdot doesn't keep you in tune with the security community.

Oh well, guess we'll just have to go with how much an expert you are in all this. Thank you zombiedictator...thank you so much for looking out for us! You're a shining light in a very dark and ugly world. Without knights like you saving us from ourselves, we'll be lost.

Also, do you have a newsletter that we can subscribe to?

 

[Westside guy]

Which makes anything malicious a bit tougher.

Two problems with this.

1) Most Apple users run as administrators. There's no good reason for doing this, but they do it anyway. And it's reasonably easy to circumvent the "enter your admin password" prompt, despite what people think.

2) Finding local privilege-escalation exploits is far more common than remote root exploits. This is usually what happens with OSes like Linux, actually. When the Apache Foundation's website has been hacked, for example, it's generally been done with a combination of a remote exploit that gets the hacker into the system at a low level combined with a local root exploit. So yeah, it's tougher but not impossible.

I do think people should take heart in that all these hacks - for all the OSes being tested - require the user to visit a malicious website. Things still need improvement but the security setup is getting better.

 

[zombiedictator]

I am stating that Apple is taking security seriously and that fact is apparent if you look at what Apple is doing without bias.

I'm not going to argue that Apple is going in the right direction compared to 2006 Apple. However, they're the biggest technology company in the world by market cap and they can't throw a few bucks to researchers? They throw them a copy of Lion and say "do us a favor and do our work for us for free"?

Is Apple taking security seriously? Perhaps, but not serious enough if the only time you hear about it is in a press release.

Guess them recently hiring former NSA and U.S. Navy expert David Rice to be its director of global security isn't enough? Or should they have hired you? You seem pretty confident in your abilities since you "save" us all the time.

Of course, Rice hasn't started yet. But the NSA, do they know anything about security? Dunno...

Congratulations. You value a press release over the opinions of industry insiders. I guess if Ford says the new Focus is the best car in the history of mankind it means Car and Driver doesn't know what the Hell it is talking about.

While I agree with you mostly, my issue with this exploit is simple. Can someone actually do something more than open a program you already have installed with it? Can this exploit be used to install malicious software? While being able to run programs remotely has some potential security risks, opening a calculator app is a bit different from installing remote control software on the device. OS X's security features would need to be bypassed as well, not just Safari, for this to occur.

You don't have to have system access to do bad stuff. Think of it this way; if you aren't prompted with an admin password to do something, then this exploit could do it.

 

[munkery]

1) Most Apple users run as administrators. There's no good reason for doing this, but they do it anyway. And it's reasonably easy to circumvent the "enter your admin password" prompt, despite what people think.

Mac OS X admin accounts are designed to provide as much privileges as possible while still avoiding the pitfalls of superuser/root privileges. Privilege escalation is required to "circumvent" authentication.

Provide an example of local privilege escalation being linked with remote arbitrary code execution in the wild in OS X?

2) Finding local privilege-escalation exploits is far more common than remote root exploits. This is usually what happens with OSes like Linux, actually. When the Apache Foundation's website has been hacked, for example, it's generally been done with a combination of a remote exploit that gets the hacker into the system at a low level combined with a local root exploit. So yeah, it's tougher but not impossible.

Provide an example of local privilege escalation being linked with remote arbitrary code execution in the wild in OS X?

But, UAC bypasses are still fairly common.

 

[Mattie Num Nums]

The Chrome hacker didn't show up. The problem is Chrome has in-app patching, so unlike with Apple (Safari) and Microsoft (IE) the last-minute patches were allowed to be applied. Apparently the exploit the Chrome guy was going to use was mitigated by one of those patches.

Isn't that the definition of security? Find a problem and fix it as soon as humanly possible. I think if anything this proves Google is way ahead of Apple in the patching process.

 

[Skoal]

Only because no one took the challenge.



I don't see how that's a win for Chrome.

You don't see how these two teams backed out as being a win for chrome? Ya, no one actually hacked it but that is because no one took the challenge even after two teams initially did, then backed out? Why is that? They had the potential to win $15,000 + a computer + $20,000 from Google! I don't understand how some people here can't put two and two together!

 

[PhantomPumpkin]

I'm not going to argue that Apple is going in the right direction compared to 2006 Apple. However, they're the biggest technology company in the world by market cap and they can't throw a few bucks to researchers? They throw them a copy of Lion and say "do us a favor and do our work for us for free"?

Is Apple taking security seriously? Perhaps, but not serious enough if the only time you hear about it is in a press release.



Congratulations. You value a press release over the opinions of industry insiders. I guess if Ford says the new Focus is the best car in the history of mankind it means Car and Driver doesn't know what the Hell it is talking about.



You don't have to have system access to do bad stuff. Think of it this way; if you aren't prompted with an admin password to do something, then this exploit could do it.

Yes, but what can you do without an admin password?
Anytime I try and modify anything remotely system related, I get asked for my admin password.

 

[ksgant]

Congratulations. You value a press release over the opinions of industry insiders. I guess if Ford says the new Focus is the best car in the history of mankind it means Car and Driver doesn't know what the Hell it is talking about.

What industry insiders? What are industry insiders saying about Rice and his employment at Apple? Source of this? Or is this chat around the water-cooler at Symantic?

Oh, and I hope you're not referring to yourself as an "industry insider"...being just an anonymous name in a forum....so I'll assume you're talking about actual people in the real world. I mean, so far you've demonstrated nothing that shows you know what you're talking about. All you've said is essentially "oh, Safari still isn't patched! ZOMG! I'm an expert and I know!".

EDIT: The more I think about this, the more you seem to not want anything. You said: "Apple needs to focus more on security". Okay, in response to that I said well they did just recently hire a former NSA and US Navy guy to head up their security and you turn around and crap on that. Okay. "Apple needs to focus more on security"...so they've hired someone to head up that department which IS a start, but you just dismiss it. Are you one of those people that won't let anyone win? One that will crap on anything and everything a company does? One of those "not good enough" type people no matter WHAT they do?

Maybe we're going about this wrong. What would YOU have them do exactly and dispense with the vague "Apple needs to focus more on security" that has no answer good enough for you apparently.