Pwn2own 2011 day 1: Safari and IE8 fall [Update: IE9 fixed]

At the annual pwn2own competition, where hackers lineup to show off their security-cracking skills on a number of software and hardware devices, both Safari and Internet Explorer 8 were successfully exploited due to a zero-day flaw in the software. The competition was hosted in Vancouver B.C., Canada, where ZDnet managed to get some talk time with the hackers.

The first to fall, was Safari on a MacBook Pro running a fully patched Mac OS X Snow Leopard (64-bit). The hacker exploited Safari by opening a compromised website, successfully launching a calculator on the machine.

VUPEN security was the team that successfully hacked Safari. The security firm said that the vulnerability exists in WebKit, and took just two weeks to write a script that can 'own' a Mac user.

Next on the list, was Internet Explorer 8, running on a fully patched Windows 7 SP1 (64-bit). Stephen Fewer, the Irish security researcher who successfully hacked Internet Explorer 8 used three different vulnerabilities found in the software to launch the calculator (calc.exe) application.

Both of the Safari and IE8 exploits required the hacker to not only bypass DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), but required the hacker to launch the calculator on the compromised machine.

Update: Microsoft have confirmed that the same security vulnerability is patched in IE9, which is due for release on Monday.

Report a problem with article
Previous Story

Microsoft attacks the font size of Apple's App Store brief

Next Story

Apple releases Xcode 4 to Mac App Store

105 Comments

Commenting is disabled on this article.

Firefox on Win 7 sp1 64bit has been hacked too.

Also winning $10,000 was Nils, head of research at UK-based MWR InfoSecurity, who targeted Firefox on 64-bit Windows 7.

alexalex said,
Firefox on Win 7 sp1 64bit has been hacked too.

Also winning $10,000 was Charlie Sheen, head of research at UK-based MWR InfoSecurity, who targeted Firefox on 64-bit Windows 7.

Corrected.

Google is paying too much to keep Chrome away from those exploits. Don't say that isn't doing well... But possible paying that guys at Pwn2Own too. We cannot overlook the possibility. I expect anything by that company.

Chrome remained standing 3th year in a row even after Google has put a $20,000 reward for this year.
It seems like no one can break Chrome's sandbox.

The third browser to be tested was scheduled to be Chrome. However, the contestant registered to attempt the attack did not show up.


matt4pack said,
Shouldn't they be testing IE 9 on Windows and Safari in Lion as well for a comparison?
Well they are not stable version so cannot be used as a test.

Wonder if they can do the same on Lion, where the Safari rendering engine will be sandboxed separately from the browser UI process.

Elliott said,
Wonder if they can do the same on Lion, where the Safari rendering engine will be sandboxed separately from the browser UI process.

They can. Only fanboys think their lovely OS of choice can't be hacked.

I love it that when you point out to a Mac Fanatic how Mac always is the first to fall in hacking contests, they'll talk for a solid 20 minutes about how and why OS X is more secure than Windows.

Even when you say thats fine in theory, and remind them that OS X is ALWAYS the first to fall, they'll reword their speach on how OS X is more secure than Windows.

If you crush their arguement, they'll just start ranting about .DLL files and the registry.

They still took two weeks to write code to start up my calculator. I do realize it makes Safari NOT immune, but how many weeks would it take to completely **** up an OS X installation then?

PyX said,
They still took two weeks to write code to start up my calculator. I do realize it makes Safari NOT immune, but how many weeks would it take to completely **** up an OS X installation then?

You realise that starting up a calculator is simply a proof of concept? The hack wasn't geared towards the calculator app but rather simply used to show they can load whatever application/execute commands as they wish.

Hollow.Droid said,

You realise that starting up a calculator is simply a proof of concept? The hack wasn't geared towards the calculator app but rather simply used to show they can load whatever application/execute commands as they wish.


How about the IE8 hack?
It can start calc.exe, doesnt mean it can bypass the UAC, and Apple has some form of UAC aswell iirc.

Considering IE is part of windows kernel, UAC should be taken into account aswell as part of IE8's security.

PyX said,
They still took two weeks to write code to start up my calculator. I do realize it makes Safari NOT immune, but how many weeks would it take to completely **** up an OS X installation then?

A true virus don't need to **** up OS X If it can launch an app, it has user access. If it has user access, it can delete all user data. What is more important - your data or the OS?

Although most malware these days try to run something in the background and if they can register as userland service, then it's game over for the user - even if the OS somehow survives.

dhan said,

Although most malware these days try to run something in the background and if they can register as userland service, then it's game over for the user - even if the OS somehow survives.

This! Exactly! For end-user computer workstations who gives a flying **** if something attacks "root" level files. I have discs, I can reinstall. You want to see me in a panic, have the exploit do rm -Rf * on my home folder (which is the same level as lunching calculator). Good thing I have a good backup routine. Most people do not.

I personally think this whole contest is flawed. It does make for good "sensationalist" journalism but the way it`s conducted means the guys doing the hacking have plenty of time to research current and patched vulnerabilities, write code to execute the exploit then test it multiple times right up to the day before the contest.
As Fewer said “If you spend long enough looking for bugs, you'll always find something” it`s just good that this contest does bring to light potential exploits that could allready be in use and that the companies affected know about them and are able to patch them.
What they do is very impressive and hopefully helps keep the majority of us (whatever our flavour) more secure in the long run

Riggers said,
I personally think this whole contest is flawed. It does make for good "sensationalist" journalism but the way it`s conducted means the guys doing the hacking have plenty of time to research current and patched vulnerabilities, write code to execute the exploit then test it multiple times right up to the day before the contest.
As Fewer said “If you spend long enough looking for bugs, you'll always find something” it`s just good that this contest does bring to light potential exploits that could allready be in use and that the companies affected know about them and are able to patch them.
What they do is very impressive and hopefully helps keep the majority of us (whatever our flavour) more secure in the long run
good point

The article notes it took them two weeks to write the exploit... I thought it was supposed to be something they have to do on the day??

The security firm said that the vulnerability exists in WebKit, and took just two weeks to write a script that can 'own' a Mac user.

I'm sorry, but this still doesn't indicate that the IE exploit was able to have full access to the user's account. What's the betting that the calculator was running at low integrity?

I'll take more notice of this competition when the goal is to create a "I did it!" file on the desktop.

Side notes:

1) Apple, Firefox, and Google all released last minute updates specifically for the pwn2own contest.

2) Google is offer $20,000 for anyone that exploits Chrome; however, the fine print is funny, as it has to be Chrome running on Windows 7 for Google to pay up. (I guess they don't trust their own OSes, OS X, or Linux.)

3) The exploits in Safari and IE8 only show 'User' level access, there is no 'root' or system level access granted to either exploits.

4) The Mac Safari exploit only required visiting a web page. (Meaning it can be launched and executed without user interaction just by sending the browser to the exploit link. So anything from a type of redirect to a malicious ad appearing on a page could fire the exploit.)

5) The IE 8 exploit required visiting a web site and the user clicking on a specific link. (So it combines social engineering along with the vulnerbilities.) For the exploit to work, the user would have to visit a malicious web site and specifically click on a link on the page. Meaning it can't fire itself or spread through just opening a page, as the user's 'click' is part of how the exploit jumps protected mode.)

thenetavenger said,
Side notes:

1) Apple, Firefox, and Google all released last minute updates specifically for the pwn2own contest.

2) Google is offer $20,000 for anyone that exploits Chrome; however, the fine print is funny, as it has to be Chrome running on Windows 7 for Google to pay up. (I guess they don't trust their own OSes, OS X, or Linux.)

3) The exploits in Safari and IE8 only show 'User' level access, there is no 'root' or system level access granted to either exploits.

4) The Mac Safari exploit only required visiting a web page. (Meaning it can be launched and executed without user interaction just by sending the browser to the exploit link. So anything from a type of redirect to a malicious ad appearing on a page could fire the exploit.)

5) The IE 8 exploit required visiting a web site and the user clicking on a specific link. (So it combines social engineering along with the vulnerbilities.) For the exploit to work, the user would have to visit a malicious web site and specifically click on a link on the page. Meaning it can't fire itself or spread through just opening a page, as the user's 'click' is part of how the exploit jumps protected mode.)


^this should be added to the topic itself because it changes the perspective quite allot.
especially that Chrome, FF(Fx for you nitpickers) and Safari where updated prior to the contest, and IE8 was a sitting duck. IE8 also happens to be what, 4 years old? FF, Chrome and Safari are all younger.

But IMO they should've waited till 14-15 march before the contest, start fresh on FF4, IE9 and Chrome 10.

thenetavenger said,

2) Google is offer $20,000 for anyone that exploits Chrome; however, the fine print is funny, as it has to be Chrome running on Windows 7 for Google to pay up. (I guess they don't trust their own OSes, OS X, or Linux.)

The target choice was by ZDI's guidelines. It wasn't Google who said anything about Chrome running on Windows7.

Temuulen Battumur said,
What's up with all those Chrome fanboys. No one mentions Firefox these days...

I think most 'fanboys' jumped ship a while ago, when they realised Firefox wasn't going anywhere fast.

Breach said,
I'm sure most of these guys have the exploits in reserve and just go there to gain some publicity.

I'm sure Apple sucks and these guys love exploiting them every damn time they can Ohh yeah Apple the company that can never be exploited.. Fan boys suck it.

Breach said,
I'm sure most of these guys have the exploits in reserve and just go there to gain some publicity.

Definitely.

Once this contest is over, we'll see which browsers were vulnerable enough here, and which weren't. This contest doesn't tell anything about how difficult browser X was, or how long it took to come up with their exploit portfolio. The order of the browsers hacked also doesn't tell anything about the difficulty to hack them. One browser must always be first, and this simply depends on which one they use a hack on first.

http://www.eweek.com/c/a/Secur...-at-Pwn2Own-Contest-563112/

Despite the last-minute update from Apple, Safari was the first to be cracked by security researchers on the first day of the Pwn2Own hacking contest.

A team of security researchers from the French penetration test company VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win the Pwn2Own challenge on Mar. 9. Security researchers took turns trying to compromise the most up-to-date versions of Microsoft Internet Explorer, Apple's Safari, Mozilla Firefox and Google Chrome on the first day of the hacking contest at CanSecWest in Vancouver, Canada.

VUPEN cracked Safari in “5 seconds,” claimed several messages on Twitter from attendees.

A Geek Of All said,

VUPEN cracked Safari in “5 seconds,” claimed several messages on Twitter from attendees.

Perhaps so, on the day. It is stated that it took 2 weeks to write the script. that possibly would not include planning and thinking out ways to address the vulnerabilities.

There is no way the wrote the script in 5s, heck you can't even open a new text document and write in it in less than 5s.

Not a bad bit of cracking all along though

Auzeras said,

Perhaps so, on the day. It is stated that it took 2 weeks to write the script. that possibly would not include planning and thinking out ways to address the vulnerabilities.

There is no way the wrote the script in 5s, heck you can't even open a new text document and write in it in less than 5s.

Not a bad bit of cracking all along though

So hang on, Safari wasn't hacked in '5 seconds' actually two weeks - I wonder how long it took for the hack to be created for Internet Explorer - 3 months? why don't these people actually get put into a room and told to hack at the software without actually having pre-hacked it before arriving then we'll see some real hacking skills unleashed.

Mr Nom Nom's said,

So hang on, Safari wasn't hacked in '5 seconds' actually two weeks - I wonder how long it took for the hack to be created for Internet Explorer - 3 months? why don't these people actually get put into a room and told to hack at the software without actually having pre-hacked it before arriving then we'll see some real hacking skills unleashed.

Because it will be just as worthless.

Sure the hackers at Pwn2Own do find vulnerabilities, but they certainly aren't the best out there. Zero day exploits can go into the hundreds of thousands for a really good one, and nobody is going to give up a potential goldmine of an exploit for just $10,000 and a free laptop (or w/e the prize money is). Smaller one's that won't sell on the market for very much, sure why not?

Auzeras said,

Perhaps so, on the day. It is stated that it took 2 weeks to write the script. that possibly would not include planning and thinking out ways to address the vulnerabilities.

There is no way the wrote the script in 5s, heck you can't even open a new text document and write in it in less than 5s.

Not a bad bit of cracking all along though


I agree - discussing the times here, or the order of the browsers hacked, is pointless.

The hacks have all been readied in advance.

These aren't trivial things to pull off as soon as a judge starts a stop watch. Also, as for the order of the browsers to "fall" - this solely depends on when a hacker moves to hack a browser. Not how hard it was to hack.

Summarized: The difficulty of hacking isn't evident in the contest itself. The contest *only* shows which ones could be hacked, and which ones that couldn't. Don't let any silly journalists fool you into thinking otherwise.

Mr Nom Nom's said,

So hang on, Safari wasn't hacked in '5 seconds' actually two weeks - I wonder how long it took for the hack to be created for Internet Explorer - 3 months? why don't these people actually get put into a room and told to hack at the software without actually having pre-hacked it before arriving then we'll see some real hacking skills unleashed.

You do realize that hackers breaking into an unknown system usually only happens in the movies and is about as real as Neo or the Matrix?

/- Razorfold said,
Because it will be just as worthless.

Sure the hackers at Pwn2Own do find vulnerabilities, but they certainly aren't the best out there. Zero day exploits can go into the hundreds of thousands for a really good one, and nobody is going to give up a potential goldmine of an exploit for just $10,000 and a free laptop (or w/e the prize money is). Smaller one's that won't sell on the market for very much, sure why not?


Exactly, with a proper exploit hackers can earn so much more then those lowsy 10 grand.
thenetavenger said,

You do realize that hackers breaking into an unknown system usually only happens in the movies and is about as real as Neo or the Matrix?


How about hackers who target systems like the Pentagon or whatever? its not like thats known territory for them.

Brian Miller said,
What about Chrome?

Somebody was scheduled to hack Chrome, but they were a no-show. Perhaps they were planning on exploiting a security hole that was fixed in the recent update.

rfirth said,

Somebody was scheduled to hack Chrome, but they were a no-show. Perhaps they were planning on exploiting a security hole that was fixed in the recent update.
One thing I don't understand. Why do hacker use Google Chrome? Why not use Chromium? After all its newer and you can test the newer security patches and make sure Google have no time to patch it before the event.

techbeck said,
Apple first to fail...like always.

It has nothing to do with first or second. There is no race as pwn2own just decides which platform will be tested first.

alexalex said,

It has nothing to do with first or second. There is no race as pwn2own just decides which platform will be tested first.



I am sure they will release the time it took to hack the browsers once everything is done.

techbeck said,


I am sure they will release the time it took to hack the browsers once everything is done.

Probably very short times for all that'll be hacked. It's not like they sit there and try to come up with new ways from the point where a judge starts a stop watch. The hackers are usually using unreleased exploits that they have found since earlier. That's why something like four browsers in 2010 could be hacked in one day with non-trivial hacks.

So I think it depends more on when a hacker do decide to hack it than how long it takes to pull it off.

techbeck said,


I am sure they will release the time it took to hack the browsers once everything is done.

Safari was hacked in less than 5 seconds, apparently. But I don't think that is a very meaningful metric.

rfirth said,

Safari was hacked in less than 5 seconds, apparently. But I don't think that is a very meaningful metric.

True, they all know the contest is coming up so of course they've already exploited the browsers long beforehand and practiced it until they can do it quickly and easily.

<joke>I just wonder ... why won't hackers start creating a massive amount of viruses for Mac OS X? So then Jobs may say: 'It's because y'all using your Macs the wrong way' lol</joke>

astroX said,
I just wonder ... why won't hackers start creating a massive amount of viruses for Mac OS X? So then Jobs may say: 'It's because y'all using your Macs the wrong way' lol

Market share. It's not worth the effort to make something for a platform with like 5% market share

Caleo said,

Market share. It's not worth the effort to make something for a platform with like 5% market share

Sometimes I just think that the whole market share idea is not necessarily the reason why there are tons of viruses for Windows. Take for example the iPad ... I haven't heard of REALLY malicious viruses for iOS that would make developers create anti-virus software for iOS. Hopefully someday ... someday.

Caleo said,

Market share. It's not worth the effort to make something for a platform with like 5% market share

There is so much fail in that post I don't know where to begin - except to say that maybe you need to look up the fact that Safari on iOS and Mac OS X share the same code and thus share the same vulnerability that was used in the pwn2own competition - if you factored in the market share of Safari based on iOS and Mac OS X, it is most certainly a target worth aiming at.

The reality is that these days any cracking/hacking are focused on the weakest link - the end user which won't matter a single iota what security you have implemented when users are the weakest link.

astroX said,

Sometimes I just think that the whole market share idea is not necessarily the reason why there are tons of viruses for Windows. Take for example the iPad ... I haven't heard of REALLY malicious viruses for iOS that would make developers create anti-virus software for iOS. Hopefully someday ... someday.


BTW. Can you name a single Windows !virus! of 2010?

Caleo said,

Market share. It's not worth the effort to make something for a platform with like 5% market share

Well this all depends.. on a Starbucks WIFI the market share is like 95% Macs.. If you hacked starbucks you would hack all Macs.

Mr Nom Nom's said,

There is so much fail in that post I don't know where to begin - except to say that maybe you need to look up the fact that Safari on iOS and Mac OS X share the same code and thus share the same vulnerability that was used in the pwn2own competition - if you factored in the market share of Safari based on iOS and Mac OS X, it is most certainly a target worth aiming at.

The reality is that these days any cracking/hacking are focused on the weakest link - the end user which won't matter a single iota what security you have implemented when users are the weakest link.

Ok, you have no reality with regard to OS X and iOS's insignificance in the computing world.

Let's do some math...

Go add up all the Mac Sales since 1984.
Then add up all the iPhone sales since it was introduced.
Then add up all the iPad sales since it was introduced.

Now look at that number, which should be a lot, as this is ALL the computers Apple has EVER sold, right?

Now, for reality...

It is still a smaller number than just the people currently running Windows 7 alone, which is only a year and half old.

So sadly, OS X even when added in with iOS numbers are tiny in the computing world.

• This isn't even factoring how many Macs and iPhones are actually still in use, as most of the Macs sold between 1984 and 2002 are no longer in use, let alone online to exploit.
• This is a fairly bogus comparison, because if you really do add in iOS, then you have to add in WinCE, which is not included in the 1.4 billion computer user numbers.
• Even WinCE alone is larger than OS X and iOS combined, and like OS X and iOS, WinCE does not have many viruses either. (WinCE is running computers probably even in your own home or car. - Ford Sync for example.)

---------------

As for the weakest link, sure it is social engineering and users most of the time, although with server hacking, not so much.

The funny thing with you bringing up the weakest link/social engineering hacking aspect, is the false sense of security/arrogance Mac users have that comes directly from Apple's marketing.

This makes Mac users the most vulnerable when using social engineering exploits. (There are studies and real numbers on this, look them up.)

So spending time to write an attack for OS X is almost silly. It would be like rainwater trying to get through a leaky roof, when the home owner is already opening the skylight every time it rains.

It's not market share, or Mac OS X would have like twice the amount of viruses Mac OS 9 had, yet it has had no more than 30 viruses in 10 years...

PyX said,
It's not market share, or Mac OS X would have like twice the amount of viruses Mac OS 9 had, yet it has had no more than 30 viruses in 10 years...

Mac OS 9 had NO security whatsoever. Mac OS X has security, it is just not that strong. These days, because of the security in modern OSes, malware is profit driven, and there is none in Mac malware.

PyX said,
It's not market share, or Mac OS X would have like twice the amount of viruses Mac OS 9 had, yet it has had no more than 30 viruses in 10 years...

Go back to the times when MacOS was market leader. which OS had the most virusses when Apple ruled the market?

oh yes it was MacOS.

thenetavenger said,
It would be like rainwater trying to get through a leaky roof, when the home owner is already opening the skylight every time it rains.

+1
Brilliant analogy. Love the proof without all those pesky numbers to obscure peoples understanding. WinCE is huge, bigger than iOS for sure. Considering my Car, my cable company's set top box, the embedded control systems in some of my employers monitoring equipment all run some flavor of CE.

Mr Nom Nom's said,
if you factored in the market share of Safari based on iOS and Mac OS X, it is most certainly a target worth aiming at.

But... where's the profit in creating a botnet or data mining tool for iOS?

The data you'd get from it would be minimal, and it would hardly have a particularly large amount of uptime if you were planning on renting the botnet out for DDOSing.

So, what good are DEP & ASLR if every script kid can bypass them ?
And, Microsoft didn't patch yet Zero Day IE8/9's MHTML security hole

alexalex said,
So, what good are DEP & ASLR if every script kid can bypass them ?
And, Microsoft didn't patch yet Zero Day IE8/9's MHTML security hole

Yes, the IE 8 exploit is more surprising than the Safari exploit. Safari doesn't use a sandbox at all.

alexalex said,
So, what good are DEP & ASLR if every script kid can bypass them ?

it took 6 weeks for the hacker (not a script kiddie) to write the IE8 exploit!
(and he needed two flaws to bypass DEP and ASLR)

so I guess ASLR and DEP are still efficient to make the task very hard to exploit a buffer overflow.

And, Microsoft didn't patch yet Zero Day IE8/9's MHTML security hole

a fixit (temporary) patch is already available since a month ago. However, MS isn't eager to publish a real patch since this is just a cross site scription flaw (low importance). The MHTML flaw can't be used to access data on you system or execute malicious code.

Northgrove said,

Yes, the IE 8 exploit is more surprising than the Safari exploit. Safari doesn't use a sandbox at all.

Not really, as the IE8 exploit depended on a known vulnerbility, so this was a good place to start if you know that Microsoft would not have an official patch out yet. (A non-official patch is available, but being non-offical or automatically patched, it wasn't included in pwn2own.)

This is why it is important for people to remember, Microsoft didn't release specific patches for pwn2own and Google, Apple, and Firefox did... (Not that it helped Apple though.)

thenetavenger said,

Not really, as the IE8 exploit depended on a known vulnerbility, so this was a good place to start if you know that Microsoft would not have an official patch out yet. (A non-official patch is available, but being non-offical or automatically patched, it wasn't included in pwn2own.)

This is why it is important for people to remember, Microsoft didn't release specific patches for pwn2own and Google, Apple, and Firefox did... (Not that it helped Apple though.)


Microsoft finds most vulnerabilities before anyone else does. They make a patch and when they feel like the vulnerability is being used/exploited, then they add it to Windows Update. There are so damn much hotfixes from MS, not even funny.

thenetavenger said,

Not really, as the IE8 exploit depended on a known vulnerbility, so this was a good place to start if you know that Microsoft would not have an official patch out yet. (A non-official patch is available, but being non-offical or automatically patched, it wasn't included in pwn2own.)

This is why it is important for people to remember, Microsoft didn't release specific patches for pwn2own and Google, Apple, and Firefox did... (Not that it helped Apple though.)

It seems only Google's patch was applied before the contest. Safari was still running 5.03 (5.04 was not applied before the contest). Don't know how the organizers allowed Google's patch but not others patch to be applied before contest (Microsoft and Apple)

trollonknoll said,

It seems only Google's patch was applied before the contest. Safari was still running 5.03 (5.04 was not applied before the contest). Don't know how the organizers allowed Google's patch but not others patch to be applied before contest (Microsoft and Apple)

I thought apple did last minute patching as well?

link8506 said,

it took 6 weeks for the hacker (not a script kiddie) to write the IE8 exploit!
(and he needed two flaws to bypass DEP and ASLR)

so I guess ASLR and DEP are still efficient to make the task very hard to exploit a buffer overflow.

a fixit (temporary) patch is already available since a month ago. However, MS isn't eager to publish a real patch since this is just a cross site scription flaw (low importance). The MHTML flaw can't be used to access data on you system or execute malicious code.

I dont get it, they were able to launch calc, they could have as-well launched malicious code?

trollonknoll said,

It seems only Google's patch was applied before the contest. Safari was still running 5.03 (5.04 was not applied before the contest). Don't know how the organizers allowed Google's patch but not others patch to be applied before contest (Microsoft and Apple)

Microsoft don't send any patches before.

Apple released Safari 5.0.4 a day ahead of the competition, patching some 60 security holes in the browser. However, this year the rules have been altered: the configuration was frozen a week ago, hence the competition being run against Safari 5.0.3.

But Safari 5.0.4 is also vulnerable.

bj55555 said,
Safari is always the first to fall.

And many sheeps out there believe that their Macs are unhackable due to the BS SJ has been spewing around.

XIII said,

And many sheeps out there believe that their Macs are unhackable due to the BS SJ has been spewing around.

Too many, I say. Apparently this kind of thing means diddly squat to them.

In any case, are we taking bets to see how long it will take Apple to patch this? I'm betting six months.

Douglas_C said,

Too many, I say. Apparently this kind of thing means diddly squat to them.

In any case, are we taking bets to see how long it will take Apple to patch this? I'm betting six months.


I would say 1 year. That's when Apple releases a new revision of the OS and calls it the most innovative and secure OS ever ...

XIII said,

And many sheeps out there believe that their Macs are unhackable due to the BS SJ has been spewing around.

They don't think it's unhackable, they think it's less likely to be hacked because OS X is a much smaller target. Or you're listening to another crowd than me.

Northgrove said,

They don't think it's unhackable, they think it's less likely to be hacked because OS X is a much smaller target. Or you're listening to another crowd than me.

No. They don't admit that Mac OS X is hackable. They just blabble about some superior *nix foundation.

RealFduch said,

No. They don't admit that Mac OS X is hackable. They just blabble about some superior *nix foundation.
Don't forget the never-ending "more secure" nonsense. "Security through obscurity" should be their new catch phrase.

Tim Dawg said,
Don't forget the never-ending "more secure" nonsense. "Security through obscurity" should be their new catch phrase.

Ehh, not exactly. Now me, personally, I don't mind a little security through obscurity on top of an already secure platform, and that's what Apple has. Apple has a LOT of users now, and you don't think a hacker would love to have his virus be the first big virus for OS X? If you think it's not a target, you're lying to yourself. OS X has had few real viruses that didn't require you to click a big button that says "This will delete your entire system" or some sort of social engineering virus like that. OS X is certainly not hackable, but so far the system has been proven to be more secure than some of it's counterparts, you can't deny that.

Betaz said,
so far the system has been proven to be more secure than some of it's counterparts, you can't deny that.

It depends. Do you listen to guys like Steve Jobs or your local Apple reseller, or security researchers like Charlie Miller or that VUPEN guy?

Aethec said,

It depends. Do you listen to guys like Steve Jobs or your local Apple reseller, or security researchers like Charlie Miller or that VUPEN guy?

I listen to my own experience working in the computer industry and having Windows, OS X, and Linux running on my home systems. I'm not overly biased in any direction, but just think about it, no one has made their name big yet for writing a self propagating virus for OS X that leads to widespread infection. Don't you think there's a few hackers out there that would love to say they were first? To think that just no one tries to write viruses for OS X is silly. Their user base is very large now. No where near Windows, but still, Apple is very popular. Hell, I'm sure many a Windows fanboy has tried to write a virus for Apple just because they get tired of people saying it's unhackable, and yet there haven't been any huge security vulnerabilities like that yet.

Now, security through obscurity is definitely an addition on top of the security the system already has, especially since a lot of viruses come from countries where piracy on old PCs is rampant, and I suppose Macs are probably much less common, but hey, why complain about fewer people trying to hack your system while you've got that advantage, right?

This competition obviously shows that OS X isn't perfect, and of course it's not, but even reading the details they mentioned the difficulty of creating a reliable hack.

Northgrove said,

They don't think it's unhackable, they think it's less likely to be hacked because OS X is a much smaller target. Or you're listening to another crowd than me.

They're starting to head in that direction now...

Betaz said,

I listen to my own experience working in the computer industry and having Windows, OS X, and Linux running on my home systems. I'm not overly biased in any direction, but just think about it, no one has made their name big yet for writing a self propagating virus for OS X that leads to widespread infection. Don't you think there's a few hackers out there that would love to say they were first? To think that just no one tries to write viruses for OS X is silly. Their user base is very large now. No where near Windows, but still, Apple is very popular. Hell, I'm sure many a Windows fanboy has tried to write a virus for Apple just because they get tired of people saying it's unhackable, and yet there haven't been any huge security vulnerabilities like that yet.

Now, security through obscurity is definitely an addition on top of the security the system already has, especially since a lot of viruses come from countries where piracy on old PCs is rampant, and I suppose Macs are probably much less common, but hey, why complain about fewer people trying to hack your system while you've got that advantage, right?

This competition obviously shows that OS X isn't perfect, and of course it's not, but even reading the details they mentioned the difficulty of creating a reliable hack.

Hackers create malware for profit, don't think otherwise. This isn't 1995 when viruses were created for the glory. There's hardly any profit in creating malware for OSX. Also OSX is not a more secure platform than Windows. It only recently got ASLR and a weak implementation at that. Linux isn't interesting either. It's often installed on servers which have more protections in place.

day2die said,

I am sure it will unless it's not made by human.

FYI: Chrome has never fallen in pwn2own. I think it will continue this year as well.

stablemist said,

Chrome is webkit, so yes it will most likely fall.

Uhm Chrome uses webkit != Chrome is webkit..... otherwise the title would have said Safari, Chrome and IE8 fall

still1 said,

its hard for chrome to fall... its one secure browser.

it took 4 years for hackers to exploit a flaw in the IE sandbox!
I guess it will take another two years to exploit a flaw in chrome sandbox at Pwn2own too ;-)
that isn't trivial since it requires to find a 0day privilege escalation flaw in the host OS.

stablemist said,

Chrome is webkit, so yes it will most likely fall.

Chrome tends to use more bleeding edge versions of Webkit than Safari, so the chance is the exploit may have already been fixed in Chrome

duddit2 said,

+1 - Made by man = can be broken by man!


Unless... it isn't made by man... and Google truly was actually taken over by its own mainframe!

alessandroasm said,

4 years?!? IE is exploited every year at this competition.

3 years ago, IE7 was not exploited at all. (but flash player did)
these last 2 years, the IE exploit only managed to get read access. It couldn't write data outside the IE sandbox.
This is the first time ever that a hacker manage to find a flaw in IE sandbox and bypass it to gain write access to the user profile.

IE's sandbox is not trivial to bypass. Chrome is two years old. Give it another two years and hackers may be able to do the same with google chrome's sandbox.
By the way, chrome's sandbox uses partly the same fundations as IE's sandbox on vista/7. So I guess this exploit against IE's sandbox could have been used to exploit chrome's sandbox as well.