Safari pwned and owned in seconds

Discussion in 'Mac Apps and Mac App Store' started by KingYaba, Mar 18, 2009.

  1. KingYaba macrumors 68040

    KingYaba

    Joined:
    Aug 7, 2005
    Location:
    Up the irons
    #1
    http://blogs.zdnet.com/security/?p=2917

    VANCOUVER, BC — Charlie Miller has done it again. For the second consecutive year, the security researcher hacked into a fully patched MacBook computer by exploiting a security vulnerability in Apple’s Safari browser.

    “It took a couple of seconds. They clicked on the link and I took control of the machine,” Miller said moments after his accomplishment.

    The contest kicked off at exactly 3:15 PM and, within seconds, Miller launched his drive-by attack and claimed the $10,000 top prize. He also got to keep the MacBook machine.

    Miller said he came to the CanSecWest security conference with a plan to hack into Safari and had tested the exploit carefully to ensure “it worked the first time.”

    TippingPoint’s Zero Day Initiative has acquired the exclusive rights to the vulnerability and coordinate the disclosure and patch release process with Apple.

    Technical details of the vulnerability will not be released until a patch is ready.

    Several hackers are currently attempting exploits against Internet Explorer 8 and Firefox but those browsers are still standing.


    Well, there you have it. I wish I could make $10,000 like that.
     
  2. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #2
    Miller seems to have a pretty good attitude about it, and it seems to slowly be contributing to improved information safety, so more power to them.... $10k is probably a very cheap price to pay for knowing about a true zero-day flaw before it goes wild (assuming it really is one, and not one of those things that relies on some fairly unlikely circumstances).
     
  3. clevin macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #3
    I do think apple's action is improving over last two years regarding the security issues.

    But I guess there are just two many problems once people pay attention to it?

    For whatever reason, apple better think twice when blindly bragging about how secure their products are.
     
  4. Abstract macrumors Penryn

    Abstract

    Joined:
    Dec 27, 2002
    Location:
    Location Location Location
    #4
    Safari is pretty much the Mac equivalent of IE in terms of security, isn't it. :eek:


    Hope this gets fixed fast, although Charlie Miller will probably just find another lovely Safari exploit in a few days.

    I'm not too concerned because I still use Firefox as my main browser. At least everyone has an option.
     
  5. Matek macrumors 6502a

    Joined:
    Jun 6, 2007
    #5
    Pwn2Own 2009 - results

    Safari lost again :/.
    Original news.
     
  6. clevin macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #6
    patch, patch, patch, now its time to work, apple, be quick!:D
     
  7. MistaBungle macrumors 6502a

    MistaBungle

    Joined:
    Apr 3, 2005
    #7
    People, people, there is nothing extraordinary here. An exploit was achieved by navigating to a certain URL. All the work was done prior to the competition and all he did was stroke a few keys and hit enter.
     
  8. Consultant macrumors G5

    Consultant

    Joined:
    Jun 27, 2007
    #8
    They had proved in the years past and now, that without user interaction, they cannot break in to OSX or part of OSX.

    They NEED to trick user to go to a malicious web site, which could still be done, but as long as users practice safe usage, will not be an issue.

    If you look at the MS page, many more remote code execution vulnerability are found every month (with many more that are not announced / found).
    http://www.microsoft.com/technet/security/advisory/default.mspx

    It's easy to do the same thing for windows, it's just the guy choose to do it for OSX.
     
  9. Matek macrumors 6502a

    Joined:
    Jun 6, 2007
    #9
    Well, the user practically always has to do something - whether it's connecting the PC to a network, visit a malicious site, etc. The point of the exploit is that the user is doing something completely regular that should in no way harm him, yet it does because of a security issue. IMHO there's not much difference between this and a worm that installs itself over the network. Yes, the former will probably spread faster, but it's still a very similar kind of security issue - a piece of software will do something it's not supposed to do.

    I disagree with you - you're trying to slip this one in with the exploits that actually have to be executed by the user, which is a HUGE difference.

    Is this just an assumption or do you have any way of supporting it? Because if I were him, I'd simply choose the one that would be the easiest to hack.
     
  10. Consultant macrumors G5

    Consultant

    Joined:
    Jun 27, 2007
    #10
  11. Jethryn Freyman macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
    #11
    I'm glad I use Firefox.

    Apple needs to hire more people to test their software for vulnerabilities. They could even outsource it by running a few of these competitions, with prize money for each vulnerability found.
     
  12. dejo Moderator

    dejo

    Staff Member

    Joined:
    Sep 2, 2004
    Location:
    The Centennial State
    #12
  13. madog macrumors 65816

    madog

    Joined:
    Nov 25, 2004
    Location:
    Korova Milkbar
    #13
    Someone can hack Safari if they are on the same network and you are browsing site www.you'llgethacked.com! And if they do they can infect your Mac with none of the viruses that don't exist or place a trojan on your desktop that you'll have to install! OMG NOOOOOOO!

    In related news, they found out a way to transfer malicious .exe files to your Mac! Scary stuff!

    Even condoms have holes in them, but it's safer to use one than to not! It's true!
     
  14. Jethryn Freyman macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
    #14
  15. ppc750fx macrumors 65816

    Joined:
    Aug 20, 2008
    #15
    You're kidding, right?

    Mr. Miller's being a complete twat about the whole thing IMO:

    1) He sat on the vuln and didn't tell Apple in order to ensure that he'd win the contest and get some more press. He's a smart guy, but he's not the only one -- by sitting on the hole for a year he gave plenty of time for other folks, potentially less scrupulous folks, to discover said unpatched hole.

    2) He's flat-out wrong about NX support and ASLR. OS X features both, but in his interview he implies that it doesn't support either. (Now Leopard's ASLR support isn't terribly solid, and it doesn't have NX protection on the heap, only the stack -- but that's no excuse for implying that it has neither.)

    Basically, he attacked OS X because he knew it would get him the most press, plain and simple. There's nothing wrong with that, but both his handling and the media's handling of the attack are, IMO, pretty nuts.
     
  16. macer1 macrumors newbie

    Joined:
    Jan 9, 2004
    Location:
    saskatoon
    #16
    MacBook/Safari Hacked in 10 Seconds

    well at least Firefox and the new IE8 fell also

    VANCOUVER, BC — Charlie Miller has done it again. For the second consecutive year, the security researcher hacked into a fully patched MacBook computer by exploiting a security vulnerability in Apple’s Safari browser.

    “It took a couple of seconds. They clicked on the link and I took control of the machine,” Miller said moments after his accomplishment.

    The contest kicked off at exactly 3:15 PM and, within seconds, Miller launched his drive-by attack and claimed the $10,000 top prize. He also got to keep the MacBook machine.

    Miller said he came to the CanSecWest security conference with a plan to hack into Safari and had tested the exploit carefully to ensure “it worked the first time.”

    TippingPoint’s Zero Day Initiative has acquired the exclusive rights to the vulnerability and coordinate the disclosure and patch release process with Apple.

    Technical details of the vulnerability will not be released until a patch is ready.

    Several hackers are currently attempting exploits against Internet Explorer 8 and Firefox but those browsers are still standing.



    VANCOUVER, BC — It took a while longer but Microsoft’s Internet Explorer 8 did not survive the hacker onslaught at this year’s CanSecWest Pwn2Own contest.

    A security researcher named “Nils” (he declined to provide his full name) performed a clean drive-by download attack against the world’s most widely used browser to take full control of a Sony Vaio machine running Windows 7.

    He won a cash prize and got to keep the hardware. Details of the vulnerability, which was described by contest sponsor TippingPoint ZDI as a “brilliant IE8 bug!” are being kept under wraps.

    Several members of Microsoft’s security response team were on hand to witness the successful exploit.

    “Nils” also scored a clean hit against Apple’s Safari (he was the second hacker to exploit Safari) and, later in the afternoon, he exploited a Firefox zero-day flaw to claim the trifecta.

    http://blogs.zdnet.com/security/?p=2934
     
  17. Tallest Skil macrumors P6

    Tallest Skil

    Joined:
    Aug 13, 2006
    Location:
    1 Geostationary Tower Plaza
    #17
    Yeah, we know. He faked it. Look at the actual front page, and then read my signature.
     
  18. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #18
    I haven't seen any news confirming that the Safari hack was illegitimate so far... can you please provide a link for that?
     
  19. Tallest Skil macrumors P6

    Tallest Skil

    Joined:
    Aug 13, 2006
    Location:
    1 Geostationary Tower Plaza
    #19
    Poor choice of words; my mistake. :eek:

    The... exploit... itself was not faked, but calling it a ten second job is highly fallacious.

    He preloaded his crap and tricked someone into going to a link.

    OS X can't be hacked without end-user stupidity coming into play. Windows can. :D
     
  20. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #20
    Oh, I'm with you, yeah, the idea that he'd just walked up and cracked Safari in seconds when in actuality he had been studying and prepping his exploit for some time.

    The exploit does seem fairly serious to me, in that it could be embedded in an ad or a trojan website and it could spread fairly quickly.

    I'm also curious about some of his claims, like whether he thinks Chrome is hard to crack because it really is, or because he just hasn't known it as long as he's known Safari.

    The other kind of moderator to this is that the ill will towards IE in the bug arena is largely motivated by how much trouble IE and COM / ActiveX objects caused several years ago. Those days are largely gone. IE remains kind of an irritating browser, to me, but even I hav to admit that IE7 and 8 are not like the days of IE 5 and all the malware that got onto Windows computers via ads.
     
  21. Jethryn Freyman macrumors 68020

    Jethryn Freyman

    Joined:
    Aug 9, 2007
    Location:
    Australia
    #21
    I wonder if the NoScript addon for Firefox would have kept the computer safe.
     
  22. Melrose Suspended

    Melrose

    Joined:
    Dec 12, 2007
    #22
    Yep. It took a day for him to do it, and it is not a readily-available flaw - you've got to have a high level of know-how to do it, not just be some demented couch potato teen with too much time on his hands.

    And, still, the person had to open the email and then click the link in order for the damage to be done. Which, if you have some common sense, is removed from the equation and therefore no longer such a big deal.
     
  23. Matek macrumors 6502a

    Joined:
    Jun 6, 2007
    #23
    Where does it say that they have to be on the same network? Oh and click.

    That depends on the source of the exploit. If it's the JavaScript engine - sure, disabling it would have kept the computer safe. If it's something else, it wouldn't change a thing. But all in all, it's not important, because JS is a vital part of the web nowadays - disabling it cripples the whole experience and is out of the question for most people.

    This kind of stuff is never of the couch potato kind, I don't know what you're talking about... The "hacking" tools that teenagers use are always made by someone else with much more knowledge and skills - that's the reason everyone can do it. The flaw itself is no harder/easier to abuse than any other.

    Well, the process you described is the how 99% of computers get infected nowadays. If normal (stupid) users would "have some common sense", there would be practically no computer security problems out there. Unfortunately, the truth is far from that.
     
  24. MisterMe macrumors G4

    MisterMe

    Joined:
    Jul 17, 2002
    Location:
    USA
    #24
    And you got these numbers from where?
     
  25. dejo Moderator

    dejo

    Staff Member

    Joined:
    Sep 2, 2004
    Location:
    The Centennial State
    #25
    80% of statistics are made up on the spot, don't 'cha know.
     

Share This Page