Safari/MacBook First To Fall At Pwn2Own 2011

recoiledsnake writes "A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge. The hijacked machine was running a fully patched version of Mac OS X (64-bit). Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser. Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest in an attempt to save face (a last minute patch for Chrome was also released) but failed."

Simple

[Anonymous Coward]

It's called "Pwn2Own": the hackers win the machines they hack.

Everyone wants Macs. They hack them first. The other computers come down minutes later.

Hilarious

[theolein]

I'm a Mac user and fortunately not a mindless one (honest, promise!). That Apple has been extremely lucky in not being overrun in exploited machines has more to do with the normal target area for exploiters being windows due to marketshare, but Macs have a big enough marketshare these days to make it worthwhile for crackers. I'm pretty sure that the time will come when Macs will be running dubious AV products like most Windows people do.

Re:Simple

[TheRaven64]

I think this is the important point. It doesn't matter that the Mac failed first, it matters that it failed at all. The order isn't important - all of the exploits took a small amount of time, and all were done just by making the machine visit a malicious site. Which one was tried first is not the important bit.

The most embarrassing thing for Apple is that OS X has included a mechanism for applying fine-grained sandboxes to applications since 10.5 which Safari doesn't use. It would only be a couple of weeks worth of work for an engineer to create a sandbox policy, test it, and ship it with Safari. For some reason, Apple has decided not to invest this effort.

Re:Simple

[DrXym]

I assume these developers would need a Mac and extensive knowledge of its inner workings in order to develop and test an exploit. Therefore it make no sense to say this is just some hacker after the nicest prize. They're after the prize they know how to obtain and have spent a considerable amount of time researching.

It may well be that other computers fall thereafter and I expect in those cases they fall from people who similarly have knowledge of those respective systems.

So basically it sounds like you're making excuses.

Re:Simple

[mikael_j]

Actually the reason Safari went down first was because it was the first target. Followed by IE8 which also went down. The researcher who was going to go after Chrome never showed up and Firefox is next in line...

Sandbox

[Mr_Silver]

The most interesting and disappointing thing about Pwn2Own for me was that all the recent development of sand-boxing in browsers suggested that they were going to herald in a new era of browser security.

In actual fact it turns out that, thanks sloppy implementations, they aren't very good at their job.

Re:Simple

[N1AK]

What's that rumbling sound I hear? Ach mein gott, it's the stampede of anti-apple trolls with their one-dimensional stereotypes, flaming straw men, and tired, old memes!

Wow. Using 'straw men' in your creation of a straw man argument, my hypocrisy detector nearly blew a fuse.

Re:Holding back exploits to score quick victories?

[jo_ham]

I'm not talking just about Apple - note that I was talking generally, and even specifically mentioned Google as an example - it's right there in my comment. I am talking about the contest as a whole, including all of the operating systems and browsers involved, but feel free to ignore my point and just have an Apple bash. After all, we are on slashdot.

Also, talking about this specific bug, it was an exploit in WebKit - so are you now saying that WebKit is an Apple product? After so many years of "Apple just took KHTML and rebranded it and claimed all the credit" posts on slashdot, now suddenly it *is* an Apple product? You can't have it both ways.

My original point was referring to all browsers and operating systems involved, both with OSS components and closed code.

Re:Simple

[clang_jangle]

I have a problem with the *owners* who act as if owning an "unhackable" Apple was like being married to the most beautiful wife on the planet. ("Why would anybody choose a different partner/ manufacturer???")

Who cares? Besides, for the non-geek, and for the multimedia professional it's true -- there is nothing that can touch OS X and the software available for it. It's an idiot-proof, user-friendly *nix.

Yes, it's limited, dumbed-down, locked-down, and has an aggravating tendency to try to force users into doing things "the Apple Way". In that regard, it's just as frustrating to me as windows. But it's still got the power of bash out of the box, and is every bit as capable as linux or any other BSD in many key ways. I can understand why people pay the premium, if the money isn't an issue it's a no brainer for lots of people.

Apple's personal computers are still..... just PCs. Just like Acuras/Lexuses are just Hondas/Toyotas.

Custom PCs with custom mobos running commodity chipsets, with an OS tuned, tested, and optimized for the hardware. It's a completely reasonable choice for people who like what Apple offers. The security isn't "all that", but it certainly beats the hell out of windows for the average user. The whole applehatred thing is weird, like racism or religious zealotry..

Re:Simple

[dotwhynot]

It's called "Pwn2Own": the hackers win the machines they hack.

Everyone wants Macs. They hack them first. The other computers come down minutes later.

First one wins 15k$ cash. You are saying they risk this by not going after the easiest target first because they so desperately want a Mac?

Lets face it : Apple got served.

[unity100]

There is no other way of putting it. When you get served, you get served. and apple, has got served. much better for apple and its fans to take lessons from it, accepting the result, to better their stuff, than to try to spin and defend it.

Re:Simple

[Dunbal]

But you have to understand the psychological aspect. I mean if you had paid twice as much for a brand and a look, found out that for your money you weren't getting much else, and watched the software you thought unhackable fail so miserably when you thought you were paying for security, you would be in denial too and rush to their defense. It's not Apple he is defending, it's his own feeling of foolishness that he's trying to cover up.

Re:misleading title on /.? never!

[Anonymous Coward]

Well that headline is misleading at best I'd say. I suggest reading pwn2own day one: Safari, IE8 fall, Chrome unchallenged [arstechnica.com] in which it states that both Safari and IE fell at the first attempt, clearly it was a matter of nothing more than the ordering. Apologies for disturbing all the anti-apple ranting but both systems are weak. Please feel free to resume posting uninformed comments now.

There is something strange about how this is worded, as the first hacker - taking down Safari/MacOS - won 15k$. It sounds really strange if that price was decided just by the ordering of attempts.

Re:Simple

[BasilBrush]

Slashdotters like such princibles as open source, patent-free technologies, and the right to do as you wish with hardware you buy even without the manufacturer's approval. They hate DRM and any anti-tamper measures.

That should read "Some Slashdotters..." there certainly isn't universal agreement on those. Particularly those who make a living by developing and selling software very often won't agree with that entire list.

Re:Simple

[C_amiga_fan]

>>>OS X 10.6 was only $30

That was a sale price. The previous 10.x releases (and future release) cost $130 plus $10 shipping. It really was like buying a whole new Windows OS every 1-2 years.

Which is fine if you have the money to spend.
I don't.

Ywn2Own

[skingers6894]

Every year headlines claim platforms "pwned" in seconds but it's misleading and sensationalist.

The exploits are researched and practiced over days or weeks, rehearsed and simply repeated on the day. Yes it's bad, yes it demonstrates insecurity but the headlines imply that some guy just sits down at a fresh machine, sight unseen, decides to have a go at hacking it and within seconds it's done.

Of course the exploits take seconds to run - they are running them on computers - they are fast.

I'm sure they get faster every year.

Re:Simple

[terjeber]

Eh, let's see if your "logic" holds up. The winner wins $15,000 AND the machine they hack. So, what would a rational person do, hack the easiest in an attempt to win $15,000 AND a $2,000 laptop, or hack the hardest in an effort to (most likely) ONLY win the $2,000 laptop.

I am certain that a Mac fanboi would go straight for the "un-hackable" Apple iron, any rational person would go straight for the box he figured he could hack the fastest though. I think these guys are relatively rational.

Re:It is slowly ramping up

[jo_ham]

It's funny how those of that *do* say those things about Macs are conveniently ignored on slashdot, or lumped in as one job lot with people who know nothing about security and claim that OS X is immune. Or even have our intelligence questioned for our choice of computing environment. It's really quite tiresome.

The specific bug that was exploited in this case is in WebKit, so it's a concern for any browser based on it - Apple or not. The purpose of the contest is PR, but does lead to exploits being exposed and patched (albeit held back by the people going for the prizes so they have something to deploy as soon as the contest begins - it took those guys a lot of work to get it to the stage where they could deploy it quickly - they could have disclosed their method some time ago [but the same is true for all the exploits used in this contest, on all of the platforms]).

The attack order of the machines really has little ultimate value in the end - the fact that security holes exist in the first place is the take home message. I hope OS X keeps getting attacked - the more exploits are found, the more get closed off. I am careful with my machine, but I welcome disclosure and patching of bugs.

Re:Simple

[Anonymous Coward]

If you read the ZDNet summary, you'd notice that the same group had an equivalent working exploit for Win7/IE8, but they chose to concentrate on hacking the Mac first. It's a sensible move since the Mac has roughly double the resale value and makes a better test machine since it can run OS X, Windows, Linux or almost anything else.

So claiming that "OS X is the first to be hacked" is very disingenuous since it implies that it's the easiest to hack. In reality, all the exploits are prepared ahead of time and we can't know which one was the most difficult to achieve. It sounds like none of the platforms survived being hacked, so the only thing we can conclude is that they're all flawed and every computer is vulnerable. The competition gives no useful information on which OS is best in this category, but only that they're all substandard.

The GP post, to me, is not making excuses for Apple which, like every other vendor, failed the tests. But what it's rightly pointing out is that the story's headline is sensationalized and designed to imply a conclusion that's false.

Re:Simple

[BasilBrush]

The whole "which fell first" thing makes a huge assumption that simply isn't true. The assumption that all hardware/software combinations are available at the same time to all participants.

For example, whilst Safari and IE fell on day one, Firefox isn't scheduled to be available to anyone to try to hack till day two. Thus you can't say Safari is somehow less than Firefox.

Likewise you can't say that Safari is less than IE. It may well be that the person with a working exploit for Safari got a time slot to try it before the person with a working exploit for IE. After all, it's not as if they are actually finding the exploits at the competition. They're exploits they've spent weeks preparing.

Re:Simple

[Wovel]

Of course Apple has done more to eliminate DRM from Music than everyone on Slashdot combined.

Weird..

Re:Simple

[sjwaste]

It's not like Apple is pursuing DRM and anti-tamper for a blind purpose. Their goal is to create a positive experience for the average user, free of the shit that "Windows People" complain about. Part of that strategy is to reduce malware by certifying software, maintaining quality by screening applications, and so on. They also have minimized the UI into what is commonly used, and either eliminating or burying the rest. It makes sense for people that aren't you or me.

I happen to like my Macbook. The battery life is ridiculous, and the OS is not locked down. I can do whatever the hell I want with it, with everything that's hiding under the hood. But at the same time, I could hand this to my parents, my sister, anyone else and they'd figure out how to use it.

Apple designs products for the majority. Hobbyists, tinkerers and geeks are a small minority. It's been a great business decision if you look at their stock price. I don't get why a lot of people here just don't understand that. Being a geek doesn't excuse you from having an understanding of basic business principles, at least not if you want to engage in some sort of discussion that touches upon that. If you don't want to buy Apple products because you do not wish to pay a premium for a streamlined experience packaged in a shiny wrapper, that's fine, but please don't assert that your way is the right way. Clearly, Apple has carved out a niche in the market for the experience that they market. And I'm not even talking about the "feeling cool because of the Apple logo" experience. I'm talking about the streamlining and ease of use. I'd give this shit to my grandmother. Turns out, Ubuntu might be too complicated for her.

Re:Hilarious

[vague disclaimer]

Yet oddly, this amazing event didn't make the news.

I suspect your pants are on fire.