Safari/MacBook First To Fall At Pwn2Own 2011

recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."

Re:Firefox/Linux

[Anonymous Coward]

Why Pwn2Own doesn't target Linux [internetnews.com]

Re:Chrome was updated

[Nerdfest]

I believe Apple released 50+ patches a few minutes before the contest. No special treatment for Google that I'm aware of.

Re:Simple

[clang_jangle]

I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

Exactly. It might have been far more interesting if we'd had a summary that at least made an effort to tell the whole story, [zdnet.com] rather than just the one-sided flamebait we got...

Re:no surprise there

[somersault]

They had a VAIO with Ubuntu on it in 2008, which nobody hacked. VAIOs are certainly not "cheapo".

Re:Simple

[C_amiga_fan]

>>>Apple is it lately.

I don't have a problem with Apple.

I have a problem with the *owners* who act as if owning an "unhackable" Apple was like being married to the most beautiful wife on the planet. ("Why would anybody choose a different partner/ manufacturer???") Apple's personal computers are still..... just PCs. Just like Acuras/Lexuses are just Hondas/Toyotas.

misleading title on /.? never!

[risinganger]

Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged [arstechnica.com] in which it states that both Safari and IE fell at the first attempt, clearly it was a matter of nothing more than the ordering. Apologies for disturbing all the anti-apple ranting but both systems are weak.
 
Please feel free to resume posting uninformed comments now.

Re:Simple

[Gadget_Guy]

Actually the reason Safari went down first was because it was the first target.

But they don't all hack the same computer at the same time. Everybody is allocated a 30 minute timeslot with the different computers and they all get attacked at the same time. At least, that is how it was described in previous years.

When Chaouki Bekrar was bringing down Safari, Stephen Fewer would have been launching his attack on IE8. IE took longer because as Fewer said "I had to chain multiple vulnerabilities to get it to work reliably." Bekrar only spoke of a single vulnerability in his comments. So the Mac was just easier to hack. Certainly all the excuses about hackers wanting the prize of a Macbook more than the others is just unfounded speculation.

Re:Simple

[jo_ham]

Yes, exactly like buying Windows Vista Extreme Ultimate Hyper Edition every so often.

If you have an Intel Mac (which you need for 10.6 and 10.7), then you have owned since *at most* January 2006. In that time you could have had 10.4 (released April 05), 10.5 (released October 07), 10.6 (released August 2009).

The first one came with the Mac, so if you started on 10.4 you needed to buy 10.5 and 10.6 - so that's $129 for 10.5 and $29 for 10.6. $158 over 4 years is not too bad I think.

If your Intel Mac came with 10.5 you've only had the option to upgrade once - for $29.

But yes, I'm sure it's a grand conspiracy to force you to spend "another" $100 (when the price of Lion has yet to be confirmed).

Re:Simple

[clang_jangle]

Ars has a much better article up. [arstechnica.com] Here's a quote:

Next to fall was 32-bit Internet Explorer 8 on 64-bit Windows 7 Service Pack 1, beaten by security researcher Stephen Fewer of Harmony Security. Just as with Safari, the first contestant to attack the browser was successful in exploiting it, and just as with Safari, this was demonstrated by running Windows' calculator program and writing a file to the hard disk. Fewer says that the successful exploit required use of three separate vulnerabilities: two to achieve successful code execution within the browser, and then a third to escape Internet Explorer's Protected Mode sandbox.

So it appears you may be the one whose smugness is unwarranted. :D

Re:It is slowly ramping up

[Anonymous Coward]

Seems like an unlikely story. There is no FTP server on the Mac. Never has been. If the mac in question had a "world writable FTP", it must have been installed by someone. You can't blame the platform for that. Also, I follow Mac viruses closely. There is no known virus in the wild (yet) for the Mac. By that I mean one that can propagate by itself without authentication. Yes, there are trojans, but they also have to be authenticated.

Agreed that the Mac community (if there is such a thing) needs to be alert. But please don't invent stories.

Re:Simple

[Gadget_Guy]

Excuses, excuses. Your Mac is an insecure piece of shit.

That is just juvenile. The Mac is definitely not as magically secure as a lot of fans like to suggest, but it is not an "insecure piece of shit". Apple has been paying more attention to security these days, so the OS and browser will only get more secure as time goes by.

However, you are correct that the original poster was talking rubbish. Every year the Mac goes down first and every year people come up with the same excuse that the hackers target it because they want the prize more than the others. But as VUPEN's twitter post [twitter.com] shows, they were allocated to the Mac first by the organisers. They got IE second, but I guess they must have been too late as someone else got that one.

Re:Simple

[jbolden]

Lets see from 1997 through 2002 all the way up to 10.1.5 the upgrades were free. You likely paid for 10.2, 10.4. Which gets you to 2006 with 10.5 which is the last full priced OS upgrade. So... how is that every year?

What is the point of making facts up?

Re:Simple

[drinkypoo]

Custom PCs with custom mobos running commodity chipsets, with an OS tuned, tested, and optimized for the hardware.

Let's look at this. Custom PCs: Yes, they have very nice cases. Custom motherboards: Totally irrelevant; we have seen time and again that the quality of their boards is not any higher than anything else made in a Foxconn plant, like Asus. An OS tuned, tested, and optimized for the hardware? That is a load of dingo's kidneys. OSX is self-tuning just like Linux or NT. It doesn't disable services or run a different edition of a daemon just because you install the same OSX on another machine.

The whole applehatred thing is weird, like racism or religious zealotry.

Apple is a big liar. They tell you their OS is more secure against attack than Windows when it is in fact less secure due to incompetent ASLR and DEP, two features that Windows actually gets right (and does ASLR better than Linux, I might add.) If you turn it on for all applications and then whitelist the ones that fail then you can gain a pretty sharp increase in security. Most Windows infections seem to be trojan-related, and many of the remainder seem to come through the browser. Both of these are still problems on OSX. I don't like liars. Even more, I don't like the users who are dumb enough to believe them on the basis of their slick marketing. Those people are part of the problem in computing.

Anyone making excuses for Apple without getting paid is a douche.

Re:misleading title on /.? never!

[bidule]

The successful hack came in spite of a large security patch, Safari 5.0.4, that Apple released ahead of the competition, patching some 60 security holes in the browser. As well as Safari, Apple also patched iOS to version 4.3. This is because, in a change to historic competition rules, the system configuration was frozen last week, so the last-minute fix hasn't prevented exploitation.

How to make the truth a lie.

Re:Simple

[LanMan04]

I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize.

Yeah, seeing as I already have one dollar, I certainly wouldn't want another dollar.