Thread: Mac hacked in less than 10 seconds
View Single Post
Old 03-20-2009, 04:45 PM   #16
Bobblehead
Franchise Player
 
Bobblehead's Avatar
 
Join Date: Jul 2005
Location: in your blind spot.
Exp:
Default
Quote:
Originally Posted by FanIn80 View Post
Right, but they're testing the ability to hack the browser to get to the OS, not the ability to hack the OS. My point, is they could probably hack into a Windows box (using the same vuln) if it was running Safari for Windows.

This is just about proving vulnerabilities in browsers, not operating systems.

(This isn't a MAC/PC thing, I'm really just trying to make sure I understand.)
Well, while the same exploit of the browser may exist, a different O/S may not be susceptible from that exploit. For example Windows XP is always an easier target because most people run with administrative privileges give malware makers the rights to be able to install and control the O/S any way they wish.

You are partially correct in saying this is testing browsers, but just because a browser has a vulnerability <> the O/S is vulnerable.

This competition is specifically looking for ways malware writers could gain control of the O/S, and by far he most available method is via the browser. So they took the 2 most common O/Ses and the the most common browsers on each O/S. They could have done it through e-mail, or p2p clients, but browsers are the most wide open.

So perhaps the Safari browser is just as bad on Windows, but how many people use the Safari browser on Windows? And who knows if Windows is even able to be hacked through the same spot (my guess would be yes, but perhaps Window has seen this type of attack before and already blocks it).

Incidentally, day 2 of this competition allows extensions to the browsers to look for vulnerabilities through that vector. I'm not sure how they figure that one out - how do they decide which extension to allow? Unless they are referring to javascript/flash.

I don't think this is an indictment on Macs. It isn't like one was hacked and the other O/S wasn't. But the sheer speed of the event was amazing. Even if the guy did come up with this vuln a long time ago, that just means that it could/should have been fixed a long time ago; or some malware writer may have already been using the exploit for a long time.
__________________
"The problem with any ideology is that it gives the answer before you look at the evidence."
—Bill Clinton
"The greatest obstacle to discovery is not ignorance--it is the illusion of knowledge."
—Daniel J. Boorstin, historian, former Librarian of Congress
"But the Senator, while insisting he was not intoxicated, could not explain his nudity"
—WKRP in Cincinatti
Bobblehead is offline   Reply With Quote