Safari pwned and owned in seconds

[KingYaba]

http://blogs.zdnet.com/security/?p=2917

VANCOUVER, BC — Charlie Miller has done it again. For the second consecutive year, the security researcher hacked into a fully patched MacBook computer by exploiting a security vulnerability in Apple’s Safari browser.

“It took a couple of seconds. They clicked on the link and I took control of the machine,” Miller said moments after his accomplishment.

The contest kicked off at exactly 3:15 PM and, within seconds, Miller launched his drive-by attack and claimed the $10,000 top prize. He also got to keep the MacBook machine.

Miller said he came to the CanSecWest security conference with a plan to hack into Safari and had tested the exploit carefully to ensure “it worked the first time.”

TippingPoint’s Zero Day Initiative has acquired the exclusive rights to the vulnerability and coordinate the disclosure and patch release process with Apple.

Technical details of the vulnerability will not be released until a patch is ready.

Several hackers are currently attempting exploits against Internet Explorer 8 and Firefox but those browsers are still standing.

Well, there you have it. I wish I could make $10,000 like that.

 

[mkrishnan]

Miller seems to have a pretty good attitude about it, and it seems to slowly be contributing to improved information safety, so more power to them.... $10k is probably a very cheap price to pay for knowing about a true zero-day flaw before it goes wild (assuming it really is one, and not one of those things that relies on some fairly unlikely circumstances).

 

[clevin]

I do think apple's action is improving over last two years regarding the security issues.

But I guess there are just two many problems once people pay attention to it?

For whatever reason, apple better think twice when blindly bragging about how secure their products are.

 

[Abstract]

Safari is pretty much the Mac equivalent of IE in terms of security, isn't it.


Hope this gets fixed fast, although Charlie Miller will probably just find another lovely Safari exploit in a few days.

I'm not too concerned because I still use Firefox as my main browser. At least everyone has an option.

 

[Matek]

Pwn2Own 2009 - results

Safari lost again :/.

VANCOUVER, BC — Charlie Miller has done it again. For the second consecutive year, the security researcher hacked into a fully patched MacBook computer by exploiting a security vulnerability in Apple’s Safari browser.

“It took a couple of seconds. They clicked on the link and I took control of the machine,” Miller said moments after his accomplishment.

Original news.

 

[clevin]

patch, patch, patch, now its time to work, apple, be quick!

 

[MistaBungle]

People, people, there is nothing extraordinary here. An exploit was achieved by navigating to a certain URL. All the work was done prior to the competition and all he did was stroke a few keys and hit enter.

 

[Consultant]

They had proved in the years past and now, that without user interaction, they cannot break in to OSX or part of OSX.

They NEED to trick user to go to a malicious web site, which could still be done, but as long as users practice safe usage, will not be an issue.

If you look at the MS page, many more remote code execution vulnerability are found every month (with many more that are not announced / found).
http://www.microsoft.com/technet/security/advisory/default.mspx

It's easy to do the same thing for windows, it's just the guy choose to do it for OSX.

 

[Matek]

They had proved in the years past and now, that without user interaction, they cannot break in to OSX or part of OSX.

They NEED to trick user to go to a malicious web site, which could still be done, but as long as users practice safe usage, will not be an issue.

Well, the user practically always has to do something - whether it's connecting the PC to a network, visit a malicious site, etc. The point of the exploit is that the user is doing something completely regular that should in no way harm him, yet it does because of a security issue. IMHO there's not much difference between this and a worm that installs itself over the network. Yes, the former will probably spread faster, but it's still a very similar kind of security issue - a piece of software will do something it's not supposed to do.

I disagree with you - you're trying to slip this one in with the exploits that actually have to be executed by the user, which is a HUGE difference.

It's easy to do the same thing for windows, it's just the guy choose to do it for OSX.

Is this just an assumption or do you have any way of supporting it? Because if I were him, I'd simply choose the one that would be the easiest to hack.

 

[Consultant]

Yes, navigating to a web site is different than running a trojan, but most users are smart enough not to visit suspicious web sites.

Ever heard of computer virus or worm? They do not require user interaction.

http://en.wikipedia.org/wiki/Computer_virus
http://en.wikipedia.org/wiki/Computer_worm

How many viruses or worm are on OSX?

 

[Jethryn Freyman]

I'm glad I use Firefox.

Apple needs to hire more people to test their software for vulnerabilities. They could even outsource it by running a few of these competitions, with prize money for each vulnerability found.

 

[dejo]

I'm glad I use Firefox.

Firefox and IE8 were also hacked!

IE8, Safari and Firefox all hacked at Pwn2Own

 

[madog]

Someone can hack Safari if they are on the same network and you are browsing site www.you'llgethacked.com! And if they do they can infect your Mac with none of the viruses that don't exist or place a trojan on your desktop that you'll have to install! OMG NOOOOOOO!

In related news, they found out a way to transfer malicious .exe files to your Mac! Scary stuff!

Even condoms have holes in them, but it's safer to use one than to not! It's true!

 

[Jethryn Freyman]

Firefox and IE8 were also hacked!

IE8, Safari and Firefox all hacked at Pwn2Own

Thanks for the link

I'd still put my money on Firefox having the vulnerability patched before Safari.

 

[ppc750fx]

Miller seems to have a pretty good attitude about it, and it seems to slowly be contributing to improved information safety, so more power to them.... $10k is probably a very cheap price to pay for knowing about a true zero-day flaw before it goes wild (assuming it really is one, and not one of those things that relies on some fairly unlikely circumstances).

You're kidding, right?

Mr. Miller's being a complete **** about the whole thing IMO:

1) He sat on the vuln and didn't tell Apple in order to ensure that he'd win the contest and get some more press. He's a smart guy, but he's not the only one -- by sitting on the hole for a year he gave plenty of time for other folks, potentially less scrupulous folks, to discover said unpatched hole.

2) He's flat-out wrong about NX support and ASLR. OS X features both, but in his interview he implies that it doesn't support either. (Now Leopard's ASLR support isn't terribly solid, and it doesn't have NX protection on the heap, only the stack -- but that's no excuse for implying that it has neither.)

Basically, he attacked OS X because he knew it would get him the most press, plain and simple. There's nothing wrong with that, but both his handling and the media's handling of the attack are, IMO, pretty nuts.

 

[macer1]

MacBook/Safari Hacked in 10 Seconds

well at least Firefox and the new IE8 fell also

VANCOUVER, BC — Charlie Miller has done it again. For the second consecutive year, the security researcher hacked into a fully patched MacBook computer by exploiting a security vulnerability in Apple’s Safari browser.

“It took a couple of seconds. They clicked on the link and I took control of the machine,” Miller said moments after his accomplishment.

The contest kicked off at exactly 3:15 PM and, within seconds, Miller launched his drive-by attack and claimed the $10,000 top prize. He also got to keep the MacBook machine.

Miller said he came to the CanSecWest security conference with a plan to hack into Safari and had tested the exploit carefully to ensure “it worked the first time.”

TippingPoint’s Zero Day Initiative has acquired the exclusive rights to the vulnerability and coordinate the disclosure and patch release process with Apple.

Technical details of the vulnerability will not be released until a patch is ready.

Several hackers are currently attempting exploits against Internet Explorer 8 and Firefox but those browsers are still standing.



VANCOUVER, BC — It took a while longer but Microsoft’s Internet Explorer 8 did not survive the hacker onslaught at this year’s CanSecWest Pwn2Own contest.

A security researcher named “Nils” (he declined to provide his full name) performed a clean drive-by download attack against the world’s most widely used browser to take full control of a Sony Vaio machine running Windows 7.

He won a cash prize and got to keep the hardware. Details of the vulnerability, which was described by contest sponsor TippingPoint ZDI as a “brilliant IE8 bug!” are being kept under wraps.

Several members of Microsoft’s security response team were on hand to witness the successful exploit.

“Nils” also scored a clean hit against Apple’s Safari (he was the second hacker to exploit Safari) and, later in the afternoon, he exploited a Firefox zero-day flaw to claim the trifecta.

http://blogs.zdnet.com/security/?p=2934

 

[Tallest Skil]

Yeah, we know. He faked it. Look at the actual front page, and then read my signature.

 

[mkrishnan]

Yeah, we know. He faked it. Look at the actual front page, and then read my signature.

I haven't seen any news confirming that the Safari hack was illegitimate so far... can you please provide a link for that?

 

[Tallest Skil]

I haven't seen any news confirming that the Safari hack was illegitimate so far... can you please provide a link for that?

Poor choice of words; my mistake.

The... exploit... itself was not faked, but calling it a ten second job is highly fallacious.

He preloaded his crap and tricked someone into going to a link.

OS X can't be hacked without end-user stupidity coming into play. Windows can.

 

[mkrishnan]

The... exploit... itself was not faked, but calling it a ten second job is highly fallacious.

Oh, I'm with you, yeah, the idea that he'd just walked up and cracked Safari in seconds when in actuality he had been studying and prepping his exploit for some time.

The exploit does seem fairly serious to me, in that it could be embedded in an ad or a trojan website and it could spread fairly quickly.

I'm also curious about some of his claims, like whether he thinks Chrome is hard to crack because it really is, or because he just hasn't known it as long as he's known Safari.

The other kind of moderator to this is that the ill will towards IE in the bug arena is largely motivated by how much trouble IE and COM / ActiveX objects caused several years ago. Those days are largely gone. IE remains kind of an irritating browser, to me, but even I hav to admit that IE7 and 8 are not like the days of IE 5 and all the malware that got onto Windows computers via ads.

 

[Jethryn Freyman]

He preloaded his crap and tricked someone into going to a link.

OS X can't be hacked without end-user stupidity coming into play. Windows can.

I wonder if the NoScript addon for Firefox would have kept the computer safe.

 

[Melrose]

The... exploit... itself was not faked, but calling it a ten second job is highly fallacious.

Yep. It took a day for him to do it, and it is not a readily-available flaw - you've got to have a high level of know-how to do it, not just be some demented couch potato teen with too much time on his hands.

And, still, the person had to open the email and then click the link in order for the damage to be done. Which, if you have some common sense, is removed from the equation and therefore no longer such a big deal.

 

[Matek]

Someone can hack Safari if they are on the same network and you are browsing site www.you'llgethacked.com! And if they do they can infect your Mac with none of the viruses that don't exist or place a trojan on your desktop that you'll have to install! OMG NOOOOOOO!

Where does it say that they have to be on the same network? Oh and click.

I wonder if the NoScript addon for Firefox would have kept the computer safe.

That depends on the source of the exploit. If it's the JavaScript engine - sure, disabling it would have kept the computer safe. If it's something else, it wouldn't change a thing. But all in all, it's not important, because JS is a vital part of the web nowadays - disabling it cripples the whole experience and is out of the question for most people.

Yep. It took a day for him to do it, and it is not a readily-available flaw - you've got to have a high level of know-how to do it, not just be some demented couch potato teen with too much time on his hands.

This kind of stuff is never of the couch potato kind, I don't know what you're talking about... The "hacking" tools that teenagers use are always made by someone else with much more knowledge and skills - that's the reason everyone can do it. The flaw itself is no harder/easier to abuse than any other.

And, still, the person had to open the email and then click the link in order for the damage to be done. Which, if you have some common sense, is removed from the equation and therefore no longer such a big deal.

Well, the process you described is the how 99% of computers get infected nowadays. If normal (stupid) users would "have some common sense", there would be practically no computer security problems out there. Unfortunately, the truth is far from that.

 

[MisterMe]

...

Well, the process you described is the how 99% of computers get infected nowadays. ...

And you got these numbers from where?

 

[dejo]

And you got these numbers from where?

80% of statistics are made up on the spot, don't 'cha know.