Researchers Uncover Multiple OS X and Safari Exploits at Pwn2Own 2016

[Goatllama]

In this second decade of the 21st Century, 'Researcher' is the new legal term for 'Hacker'.
[doublepost=1458249637][/doublepost]
Yeah, you get no prize money for finding vulnerabilities in Flash!!!

Instead, you have to pay ADOBE!!....... but you're probably already paying them somehow, so it doesn't matter.

 

[joueboy]

om lyou're the in the grid there's no such thing as safe. Even if the OS is secure people ended up using other application which ended up being vulnerable like browsers and browser plugins. The only thing that keeping you sort of safe is that you're not single handedly targeted and staying away from shady websites. But if you want to be completely safe don't connect to any network.

 

[kahkityoong]

FBI should put these guys onto their payroll.

 

[ElRojito]

I love white hat hacking. If I were an Apple engineer I'd be really happy about this! It's hard to know the vulnerabilities of a product you're making if your eyes are the only ones looking at the code. As consumers, we should be thanking these guys for their services -- it keeps the updates coming.

 

[pat500000]

This is a reminder of the reason why, even though you have a Mac, you should be careful about browsing shady websites.

Every system is exploitable, even one with a good track record like OS X. Be careful where you browse. Stay up to date on updates. This is also why I'm angered by websites that force you to turn off ad blockers; ad networks are the #1 source of malware there is.

This is the reason why engineers should be purged along with senior VP of software.

 

[star-affinity]

"Other web browsers and plugins that were successfully targeted include Adobe Flash, Google Chrome, and Microsoft Edge on Windows."​

I'm curious – does this mean Firefox stood up for the "attacks" or wasn't it included as a target?

 

[applepuree]

These guys should work for the FBI on iPhone hacking

FBI should put these guys onto their payroll.

Oh you beat me to it!

 

[Goatllama]

"Other web browsers and plugins that were successfully targeted include Adobe Flash, Google Chrome, and Microsoft Edge on Windows."​

I'm curious – does this mean Firefox stood up for the "attacks" or wasn't it included as a target?

Same here, as Firefox is my preferred browser. Would be nice to know how it held up.

 

[vault]

"Other web browsers and plugins that were successfully targeted include Adobe Flash, Google Chrome, and Microsoft Edge on Windows."​

I'm curious – does this mean Firefox stood up for the "attacks" or wasn't it included as a target?

Same here, as Firefox is my preferred browser. Would be nice to know how it held up.

It was not featured.

One change in the 2016 event is that the Mozilla Firefox Web browser is no longer part of the contest.
"We wanted to focus on the browsers that have made serious security improvements in the last year".

 

[sudo1996]

Ad blockers like Adblock still allow non-intrusive and non-malicious ads. If a website makes you turn off Adblock, you might have to wonder why.

I wonder if Apple could use this in their FBI case. "Um guys... you want us to create a back door, there's contests that reward people for breaking the code. Imagine if they KNEW there was a back door and they just needed to find it."

Nah, I (and probably everyone else) always put it in "block everything" mode. I also refuse to use any website that disallows ad blocking. And I have Google's doubleclick.net IP addresses redirected to 0.0.0.0 in my hosts file.
[doublepost=1458268392][/doublepost]

It was not featured.

One change in the 2016 event is that the Mozilla Firefox Web browser is no longer part of the contest.
"We wanted to focus on the browsers that have made serious security improvements in the last year".

Dang, that's cold.
[doublepost=1458268643][/doublepost]UGH! I can't find anywhere what kind of vulnerabilities these were. Seems every news site is summarizing some vague source. Are these privilege escalation vulnerabilities exploited by websites that a victim visits or what?

 

[dk001]

Was the FBI in attendance taking notes?

Why would they be? Nope. The FBI has "The Judge" and blind faith on their side.
NSA was though.
[doublepost=1458269402][/doublepost]

FBI should put these guys onto their payroll.

They just plan on slapping them with a warrant courtesy of the AWA and the friendly Judge.
This way it's forced and free

 

[Parasprite]

It was not featured.

One change in the 2016 event is that the Mozilla Firefox Web browser is no longer part of the contest.
"We wanted to focus on the browsers that have made serious security improvements in the last year".

I'm not sure how I feel about this. :/

 

[PizzaBoxStyle]

One change in the 2016 event is that the Mozilla Firefox Web browser is no longer part of the contest.
"We wanted to focus on the browsers that have made serious security improvements in the last year".

Also wasn't there that breach in the bugzilla bug tracker web app related to Firefox?

From what I read/remember, full reports and steps to reproduce for security related bugs in Firefox had been leaked.

 

[Perry Rhodan]

At last a non political thread i'm allowed to post into...


In the end if you're not using a good threat protection software on your PC, be it mac, windows or whatever flavour of linux you are a fan of you are putting yourself at risk. I've cleaned up relative's computers which were so messed up it was a "change your password for every freaking online system you use" situation because they thought it was a great idea to install every possible toolbar in their browser all the while not using any AV software... Some people should just pack up their computer and ship it back...

 

[xbjllb]

Oh great, just great. Safari already is the slowest browser in the universe.

Patching these things will make it unusuable. It's 98% of the way there now.

So much for the days of "snappier" jokes.

 

[Perry Rhodan]

Oh great, just great. Safari already is the slowest browser in the universe.

Patching these things will make it unusuable. It's 98% of the way there now.

So much for the days of "snappier" jokes.

I use safari, opera and IE... Can't honestly say safari is slower than the 2 other....

 

[Carlanga]

This is a reminder of the reason why, even though you have a Mac, you should be careful about browsing shady websites.

Every system is exploitable, even one with a good track record like OS X. Be careful where you browse. Stay up to date on updates. This is also why I'm angered by websites that force you to turn off ad blockers; ad networks are the #1 source of malware there is.

true, but one most remember the only reason that OS X has a good track record is because the vast majority of hackers didn't care to write stuff specifically for it. The system has many weakness, I remember a few years back someone in one of these conferences hacked it in less than a minute.

 

[Traverse]

Wait... I though OS X is invincible and perfectly secure... According to people in this forum... The only reason they switch to Apple is Windows and Android is not secure enough... Guess they need find third platform now...

Actually, the consensus of this forum appears to be that OS X is not invulnerable to malware and hacks, but has historically been less prone to compromises than Windows.

 

[Michaelgtrusa]

Safari is the best on the Mac but Opera is the next threat if china buys it.

 

[Amazing Iceman]

Instead, you have to pay ADOBE!!....... but you're probably already paying them somehow, so it doesn't matter.

On the contrary, I live and work in an Adobe-Free environment. No Flash running on any of my devices. Not even Adobe Reader.

 

[pika2000]

It's better for the vulnerabilities to be discovered by the good guys, rather than unknowingly exploited.

 

[You are the One]

Nah, I (and probably everyone else) always put it in "block everything" mode. I also refuse to use any website that disallows ad blocking. And I have Google's doubleclick.net IP addresses redirected to 0.0.0.0 in my hosts file.

I also have "block everything" enabled. I wanted to support Macrumours and tried to whitelist, to the effect I had to allow 12 (!) different trackers. That is not an option to me.

Checked a link to Wired today, they stopped allowing ad-blocking and became a pay-to-view site, goodbye Wired. Your content is not worth the security risk.

Little Snitch is good for blocking doubleclick.net and similar as well.

 

[till213]

This is a reminder of the reason why, even though you have a Mac, you should be careful about browsing shady websites.

Unfortunately that is not quite true: in the age of distributed web advertising it might be sufficient to hack an "Ad server" which distributes its malicious contents to popular sites such as news sites. Heck, even this site macrumors.com could be affected!

And yes, there /have/ been cases in the past, even with "harmless formats" such as animated GIFs or PNGs (being served as ads), since the used graphic library had a buffer overflow bug or what not. Nowadays where there are even Flash ads... I just hope you have all uninstalled Flash by now

So no, the statement that "only shady websites" are affected is in the same way wrong like the belief in the 80ties that "only gay people get aids".

 

[theBostonian]

I always thought 64bit Chrome was "safer", or rather less vulnerable, than its 32bit counterpart.

Finally, on 64-bit, our defense in depth security mitigations such as Partition Alloc are able to far more effectively defend against vulnerabilities that rely on controlling the memory layout of objects.

https://blog.chromium.org/2014/08/64-bits-of-awesome-64-bit-windows_26.html

 

[RedWeasel]

$60,000 for one day's work....I think I need to change jobs.

Because it only takes one day to learn all that stuff and gain all the experience that is needed to achieve a hack like this...