Forgot your password?
typodupeerror
Safari Security Apple

Safari/MacBook First To Fall At Pwn2Own 2011 492

Posted by samzenpus
from the weakest-link dept.
recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."
This discussion has been archived. No new comments can be posted.

Safari/MacBook First To Fall At Pwn2Own 2011

Comments Filter:
  • Simple (Score:2, Insightful)

    by Anonymous Coward

    It's called "Pwn2Own": the hackers win the machines they hack.

    Everyone wants Macs. They hack them first. The other computers come down minutes later.

    • Re:Simple (Score:5, Insightful)

      by TheRaven64 (641858) on Thursday March 10, 2011 @05:50AM (#35441084) Journal

      I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

      The most embarrassing thing for Apple is that OS X has included a mechanism for applying fine-grained sandboxes to applications since 10.5 which Safari doesn't use. It would only be a couple of weeks worth of work for an engineer to create a sandbox policy, test it, and ship it with Safari. For some reason, Apple has decided not to invest this effort.

      • Re:Simple (Score:5, Informative)

        by clang_jangle (975789) on Thursday March 10, 2011 @06:02AM (#35441154) Journal

        I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

        Exactly. It might have been far more interesting if we'd had a summary that at least made an effort to tell the whole story, [zdnet.com] rather than just the one-sided flamebait we got...

      • It looks like Apple is starting to walk down the same road that Microsoft has gone down years before, namely where the left hand either doesn't know what the right one is doing or if it does is actively opposed to it. From what little info we do have it seemed Steve kept a pretty tight ship, the various groups in Apple were relatively lock step. However with the increase in the number of products they develop and probably his failing health, he started to lose control and now you are starting to see the
      • by Raenex (947668)

        It would only be a couple of weeks worth of work for an engineer to create a sandbox policy, test it, and ship it with Safari.

        Are you a program manager, by chance?

    • Re:Simple (Score:5, Insightful)

      by DrXym (126579) on Thursday March 10, 2011 @05:59AM (#35441142)
      I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize. They're after the prize they know how to obtain and have spent a considerable amount of time researching.

      It may well be that other computers fall thereafter and I expect in those cases they fall from people who similarly have knowledge of those respective systems.

      So basically it sounds like you're making excuses.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        If you read the ZDNet summary, you'd notice that the same group had an equivalent working exploit for Win7/IE8, but they chose to concentrate on hacking the Mac first. It's a sensible move since the Mac has roughly double the resale value and makes a better test machine since it can run OS X, Windows, Linux or almost anything else.

        So claiming that "OS X is the first to be hacked" is very disingenuous since it implies that it's the easiest to hack. In reality, all the exploits are prepared ahead of time and

        • Given that the prize was $15,000 plus the machine, I'm not sure that the value of the machine had much to do with it. However, from the Ars Technica article, it sounds like they had one machine open for hacking at a time. First the Mac, then the Windows / IE machine. Then the Chrome / Windows machine, which no one tried to attack (one person found an exploitable hole, but sold it to Google for $1,337 instead of entering it into the contest). FireFox on Windows is up tomorrow.

          Note that the Pwn2Own conte

      • Re:Simple (Score:5, Insightful)

        by BasilBrush (643681) on Thursday March 10, 2011 @08:02AM (#35441748)

        The whole "which fell first" thing makes a huge assumption that simply isn't true. The assumption that all hardware/software combinations are available at the same time to all participants.

        For example, whilst Safari and IE fell on day one, Firefox isn't scheduled to be available to anyone to try to hack till day two. Thus you can't say Safari is somehow less than Firefox.

        Likewise you can't say that Safari is less than IE. It may well be that the person with a working exploit for Safari got a time slot to try it before the person with a working exploit for IE. After all, it's not as if they are actually finding the exploits at the competition. They're exploits they've spent weeks preparing.

      • Re:Simple (Score:5, Informative)

        by LanMan04 (790429) on Thursday March 10, 2011 @09:40AM (#35442496)

        I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize.

        Yeah, seeing as I already have one dollar, I certainly wouldn't want another dollar.

    • Re:Simple (Score:5, Interesting)

      by Anonymous Coward on Thursday March 10, 2011 @06:02AM (#35441158)

      Lies. Several times now they've had to allow more access to the machine before Windows was hacked. One year, before they stopped including Linux, it made it through the entire competition without being hacked despite everyone's best effort.

      At some point, you're going to have to accept that OS X just isn't that secure. It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux. It's 2011, being Unix doesn't magically make you secure.

      • Re:Simple (Score:4, Funny)

        by drinkypoo (153816) <martin.espinoza@gmail.com> on Thursday March 10, 2011 @08:32AM (#35441916) Homepage Journal

        At some point, you're going to have to accept that OS X just isn't that secure. It has a poor, inconsistent implementation of ASLR and DEP, Apple tends to be very slow at patching vulnerabilities, they don't prioritize security or safe coding practices, and it has absolutely nothing that compares to SELinux.

        AFAIK only Fedora really uses selinux, everyone else uses AppArmor or nothing. What's sad is that Apple doesn't even have ANY capabilities-based security, not even as good as AppArmor.

    • Re:Simple (Score:5, Insightful)

      by mikael_j (106439) on Thursday March 10, 2011 @06:08AM (#35441184)

      Actually the reason Safari went down first was because it was the first target. Followed by IE8 which also went down. The researcher who was going to go after Chrome never showed up and Firefox is next in line...

      • Re:Simple (Score:5, Funny)

        by daid303 (843777) on Thursday March 10, 2011 @06:13AM (#35441208)

        The researcher who was going to go after Chrome never showed up...

        So... google has the best assassins?

      • Re:Simple (Score:5, Informative)

        by Gadget_Guy (627405) * on Thursday March 10, 2011 @07:33AM (#35441554)

        Actually the reason Safari went down first was because it was the first target.

        But they don't all hack the same computer at the same time. Everybody is allocated a 30 minute timeslot with the different computers and they all get attacked at the same time. At least, that is how it was described in previous years.

        When Chaouki Bekrar was bringing down Safari, Stephen Fewer would have been launching his attack on IE8. IE took longer because as Fewer said "I had to chain multiple vulnerabilities to get it to work reliably." Bekrar only spoke of a single vulnerability in his comments. So the Mac was just easier to hack. Certainly all the excuses about hackers wanting the prize of a Macbook more than the others is just unfounded speculation.

      • Re: (Score:3, Interesting)

        by andyr86 (1942246)
        If you look at the article both exploits took roughly 6 man weeks to find and setup. Safari's took 2 weeks for 3 researchers and IE8s took 6 weeks for 1. They are both as bad as each other really.
    • by aliquis (678370)

      Mac reta... err.. users always got an excuse!

      I doubt it's got much to do with everyone actually wanting a mac but rather more than people either shooting for the mac because of the fame and extra publicity or because of Apples (and their users) arrogance.

    • Re:Simple (Score:5, Insightful)

      by dotwhynot (938895) on Thursday March 10, 2011 @06:54AM (#35441392)

      It's called "Pwn2Own": the hackers win the machines they hack.

      Everyone wants Macs. They hack them first. The other computers come down minutes later.

      First one wins 15k$ cash. You are saying they risk this by not going after the easiest target first because they so desperately want a Mac?

    • by andydread (758754)
      wow thats a different apologist twist on the issue that Macs are the least secure operating systems and get hacked first. wow.
    • by mwvdlee (775178)

      Or maybe they already had Macs so they could research the exploits and they started with the Mac just to piss off those annoying "OS-X is so much more safe than Windows" apple fanboys. Someday apple fanboys will realize that their "security" really was "security through obscurity" all along, and on that day many apple fanboys will have to reformat their harddrives.

    • Re:Simple (Score:5, Insightful)

      by terjeber (856226) on Thursday March 10, 2011 @07:37AM (#35441582)

      Eh, let's see if your "logic" holds up. The winner wins $15,000 AND the machine they hack. So, what would a rational person do, hack the easiest in an attempt to win $15,000 AND a $2,000 laptop, or hack the hardest in an effort to (most likely) ONLY win the $2,000 laptop.

      I am certain that a Mac fanboi would go straight for the "un-hackable" Apple iron, any rational person would go straight for the box he figured he could hack the fastest though. I think these guys are relatively rational.

  • by gtch (1977476)
    How does one pronounce 'pwn' in French?
  • Firefox/Linux (Score:5, Interesting)

    by sakdoctor (1087155) on Thursday March 10, 2011 @05:41AM (#35441026) Homepage

    Firefox and Linux are under represented in pwn2own as usual.
    I'm not complacent, just saying it's nice.

    • Re: (Score:3, Informative)

      by Anonymous Coward
      • Thanks for googling that for me using the I'm feeling lucky button.

      • Re:Firefox/Linux (Score:4, Interesting)

        by Anonymous Coward on Thursday March 10, 2011 @06:01AM (#35441144)

        Quoting from the link: "Linux is not an operating system that has widespread use with any one particular distribution, flavor or configuration," Portnoy said. "In general Linux is still a server-based operating system, people do use it on the desktop, but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share"

        To me this like a combination of two classic arguments: one that Linux doesn't have enough market share to warrant our attention, two that it given the diversity of Linux, which is one of its security strong points, it might be too difficult to crack it and even if we did, we can't make as big of a media spectacle about it. If I recall correctly, Ubuntu was included in this test a year or two ago and was the only one that was not cracked.

        • by Pvt_Ryan (1102363)

          Quoting from the link: "..., but you can't go to BestBuy and buy Linux with a specific distro on it that everyone uses that has widespread market share"

          I thought you could buy linux PCs off the shelf in one of big American chains (walmart???). Was a low powered eco thingy iirc.

          Also as far as I know you can buy linux on laptops from Dell as well.

    • sure, who would want to pwn Firefox or Linux, and get to own a free download ;) ...
      • Safari and IE8 are free downloads too, what's your point? It's the hardware they get to own, an OEM OS license is pretty insignificant next to that.

    • Yeah, fine forget linux. It's been tested in the past but not this year.

      ...it's nice to see firefox under represented in pwn2own.

  • Hilarious (Score:5, Insightful)

    by theolein (316044) on Thursday March 10, 2011 @05:46AM (#35441056) Journal

    I'm a Mac user and fortunately not a mindless one (honest, promise!). That Apple has been extremely lucky in not being overrun in exploited machines has more to do with the normal target area for exploiters being windows due to marketshare, but Macs have a big enough marketshare these days to make it worthwhile for crackers. I'm pretty sure that the time will come when Macs will be running dubious AV products like most Windows people do.

    • by Sycraft-fu (314770) on Thursday March 10, 2011 @05:54AM (#35441116)

      We've had a few Macs (Macs that were administered by the person, not by IT) at work owned. In one case it was pure user stupidity, a world writable FTP. They couldn't see what was wrong though because "Macs can't get hacked!" In another case it was a virus that seemed to use the speech synthesizer to read ads. Was really funny.

      It is rare, compared to Windows, but growing. The real problem is, as I mentioned, the "But Macs are safe!" people. They really do think that running a Mac absolves them from any security responsibility. I think there are going to be some nasty awakenings and users will have to accept that no matter what you do, you need to have good security practices. A virus scanner is a good idea as well, since it can help catch things if you slip up (and we all slip up).

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Time to move to Lynx on OpenBSD :-).

    • by boristdog (133725)

      Yep. Last week my mother, who is the Mac "guru" amongst all her associates, called me to ask why and how a virus could have wiped out all the Macs at her job in one day. "That's not possible, is it?" she asked. Um...it happened, didn't it?

      The "Macs are safe from viruses" mantra has been drilled into the users a little too well. The vast majority of Mac users are convinced they are safe and take no precautions.

  • The groundwork they did will be most sought-after.

  • Given the financial incentives involved here (for example, the guy who gave up an almost certain $15,000 because he reported a bug to Google rather than keep it under wraps until he could clean up at Pwn2Own, how many bugs on all of the major platforms are kept "secret" to be used in contests like this?

    I understand the nature of the event is to demonstrate the issues of security and code vulnerability, but sitting on exploits is surely counterproductive here?

    • it's a business. at least you get some bugs fixed that way. they'd keep it for other people if other people paid more (and some do!)
      so yeah, it's just business. most businesses aren't very moral for that matter.

    • by gl4ss (559668)

      they're not exactly secrets. a secret is something someone else couldn't stumble upon by accident or by purpose, these flaws are there or they aren't and everybody has practically the access to the same running code to examine at their leisure.

      maybe google should up the rewards and cut the paychecks of their useless academics to make it a non issue. they could just make their bounties a bit less of a joke, a thousand dollars is like 1/120th of the money it takes to employ their average guy who SHOULD HAVE F

    • I understand the nature of the event is to demonstrate the issues of security and code vulnerability, but sitting on exploits is surely counterproductive here?

      You don't understand the mind-set of hackers, do you....

      • by jo_ham (604554)

        Well, given the information in the article it was non-trivial to write a working exploit of this bug, so the guy clearly put a lot of effort into it. However, if bugs like these were reported more as a matter of course then it would leave the *really* esoteric ones for contests like this, which would be a security win for everyone, since more difficult bugs would be exploited and squashed for money.

        I think the people involved here are relatively altruistic in terms of security (ie, "white hat"), but I can't

  • Sandbox (Score:4, Insightful)

    by Mr_Silver (213637) on Thursday March 10, 2011 @06:17AM (#35441232)

    The most interesting and disappointing thing about Pwn2Own for me was that all the recent development of sand-boxing in browsers suggested that they were going to herald in a new era of browser security.

    In actual fact it turns out that, thanks sloppy implementations, they aren't very good at their job.

    • It doesn't matter how good the idea is if the execution is sloppy. I do suspect browsers are more secure, and at least partially due to the sandboxing idea, than in the past, no?

  • by risinganger (586395) on Thursday March 10, 2011 @06:39AM (#35441324)

    Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged [arstechnica.com] in which it states that both Safari and IE fell at the first attempt, clearly it was a matter of nothing more than the ordering. Apologies for disturbing all the anti-apple ranting but both systems are weak.
     
    Please feel free to resume posting uninformed comments now.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged [arstechnica.com] in which it states that both Safari and IE fell at the first attempt, clearly it was a matter of nothing more than the ordering. Apologies for disturbing all the anti-apple ranting but both systems are weak. Please feel free to resume posting uninformed comments now.

      There is something strange about how this is worded, as the first hacker - taking down Safari/MacOS - won 15k$. It sounds really strange if that price was decided just by the ordering of attempts.

    • by drinkypoo (153816)

      Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged in which it states that both Safari and IE fell at the first attempt,

      Nobody cares, because it's not news when IE gets compromised. It's news when Apple says "oh we're so secure" and iFanbois say "oh it's so secure" and it's the first to fall.

    • by bidule (173941) on Thursday March 10, 2011 @09:06AM (#35442164) Homepage

      The successful hack came in spite of a large security patch, Safari 5.0.4, that Apple released ahead of the competition, patching some 60 security holes in the browser. As well as Safari, Apple also patched iOS to version 4.3. This is because, in a change to historic competition rules, the system configuration was frozen last week, so the last-minute fix hasn't prevented exploitation.

      How to make the truth a lie.

  • There is no other way of putting it. When you get served, you get served. and apple, has got served. much better for apple and its fans to take lessons from it, accepting the result, to better their stuff, than to try to spin and defend it.
    • by BitZtream (692029)

      Yep, and the lesson here is, people really want to win the Mac, so it gets the most attacks to start with ... THEN people go after the others.

      Its the same thing ever year and well understood. Its also well ignored by most who would rather assume that its bad security.

      All of them fall pretty quickly once people target them, as has already been pointed out, people are sitting on exploits waiting for pwn2own in order to win the machines they want. The macs are well sought after, hence they go first.

      God forbi

      • Yep, and the lesson here is, people really want to win the Mac, so it gets the most attacks to start with ... THEN people go after the others.

        Its the same thing ever year and well understood. Its also well ignored by most who would rather assume that its bad security.

        All of them fall pretty quickly once people target them, as has already been pointed out, people are sitting on exploits waiting for pwn2own in order to win the machines they want. The macs are well sought after, hence they go first.

        God forbid, don't let reality obscure your perspective though.

        This is a silly argument for several reason:

        1) They have to already own a Mac in order to develop the exploit.
        2) They could buy a lot of Macs with $15,000 USD.
        3) Why would you want to really, really win any particular brand of PC when you had just discovered and written something that lets anyone with a web server pwn it?
        4) Even assuming your argument is accurate, that means that all it takes is a little extra effort to crack a Mac, in this case because the browser isn't properly sandboxed. This is because

  • by Dunbal (464142) * on Thursday March 10, 2011 @07:22AM (#35441504)
    I feel a disturbance in the Force, as if a million Apple users suddenly cried out in terror, and were pwn3d.
  • Ywn2Own (Score:4, Insightful)

    by skingers6894 (816110) on Thursday March 10, 2011 @07:35AM (#35441566)

    Every year headlines claim platforms "pwned" in seconds but it's misleading and sensationalist.

    The exploits are researched and practiced over days or weeks, rehearsed and simply repeated on the day. Yes it's bad, yes it demonstrates insecurity but the headlines imply that some guy just sits down at a fresh machine, sight unseen, decides to have a go at hacking it and within seconds it's done.

    Of course the exploits take seconds to run - they are running them on computers - they are fast.

    I'm sure they get faster every year.

Maybe Computer Science should be in the College of Theology. -- R. S. Barton

Working...