Mac hacked in less than 10 seconds - Calgarypuck Forums - The Unofficial Calgary Flames Fan Community

Bobblehead · 03-19-2009, 11:16 AM

Quote:

"I can't talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched," said Miller on Wednesday, not long after he had won the prize. "It probably took five or 10 seconds." He confirmed that he had researched and written the exploit before he arrived at the challenge.

http://www.computerworld.com/action/...src=hm_ts_head

IE8 was hacked a bit later:

Quote:

ccording to Terri Forslof, manager of security response at TippingPoint, another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8. "Safari and IE both went down," she said in an e-mail.

Interesting competition.

Quote:

TippingPoint will continue the PWN2OWN contest through Friday, and will pay $5,000 for each additional bug successfully exploited in Safari, Internet Explorer 8, Firefox or Google's Chrome. During the contest, IE8, Firefox and Chrome will be available on the Sony, while Safari and Firefox will be running on the MacBook. The researcher who exploited IE8 will, like Miller, be awarded not only the cash, but also the laptop

Russic · 03-19-2009, 11:31 AM

so if he researched and wrote the exploitation before hand it didn't technically take him 10 seconds did it? Yet again the awesomeness of Firefox is shown.

Rathji · 03-19-2009, 11:36 AM

Thats what she said...

Hack&Lube · 03-19-2009, 11:36 AM

No hacker love for Opera???!

llama64 · 03-19-2009, 01:09 PM

Quote:

Originally Posted by Hack&Lube

No hacker love for Opera???!

People actually use Opera?

PsYcNeT · 03-19-2009, 01:22 PM

Quote:

Originally Posted by llama64

People actually use Opera?

Only on my BB

GoinAllTheWay · 03-19-2009, 04:47 PM

Is there any difference in FF securtiy between Mac or PC or does it even matter?

kermitology · 03-19-2009, 05:03 PM

Quote:

Originally Posted by Russic

so if he researched and wrote the exploitation before hand it didn't technically take him 10 seconds did it? Yet again the awesomeness of Firefox is shown.

Where is it mentioned that he used a vulnerability in Firefox?

He used a web based attack, but it doesn't specify that it's Firefox. And the last he did it he used Safari.

Russic · 03-19-2009, 06:36 PM

Quote:

Originally Posted by kermitology

Where is it mentioned that he used a vulnerability in Firefox?

He used a web based attack, but it doesn't specify that it's Firefox. And the last he did it he used Safari.

No my point was that he didn't use a vulnerability in Firefox, but did in the other 2 main browsers. However I do see now that Firefox has since been hacked at Pwn2Own.

Bobblehead · 03-20-2009, 11:11 AM

Wow, the vuln Miller used to win, he actually discovered while researching for LAST year's contest.

Quote:

Miller said that the vulnerability he used in the contest was one that he had originally found while preparing for the contest last year. Instead of disclosing it at that time, he decided to save it for the contest this year, because the contest only pays for one bug per year.

He has an interesting point. He is discovering these vulnerabilities, should he be required to give them away for free? If Apple/MS/Mozilla/Google are paying people to uncover these issues, why should he do it for free?

Personally I think that to pay for any bug would be brutal for any company to try and administer, but I could see them offer to pay for bugs to people like this, people who have proven their abilities to find these issues.

If this guy has known about this issue for over a year, it is definitely possible that a cracker knows of similar things but is smart enough not to spread it as a mass worm.

BTW, Chrome was the only browser that wasn't hacked by the end of the first day. Apparently the sandbox feature works pretty well.

http://arstechnica.com/security/news...wn-contest.ars

FanIn80 · 03-20-2009, 12:25 PM

Shouldn't the title of this thread be "Safari hacked in less than 10 seconds?"

Am I safe in saying that whatever vuln he used in Safari would also be present in Safari for Windows?

mykalberta · 03-20-2009, 12:27 PM

Quote:

Originally Posted by Bobblehead

Wow, the vuln Miller used to win, he actually discovered while researching for LAST year's contest.

He has an interesting point. He is discovering these vulnerabilities, should he be required to give them away for free? If Apple/MS/Mozilla/Google are paying people to uncover these issues, why should he do it for free?

Personally I think that to pay for any bug would be brutal for any company to try and administer, but I could see them offer to pay for bugs to people like this, people who have proven their abilities to find these issues.

If this guy has known about this issue for over a year, it is definitely possible that a cracker knows of similar things but is smart enough not to spread it as a mass worm.

BTW, Chrome was the only browser that wasn't hacked by the end of the first day. Apparently the sandbox feature works pretty well.

http://arstechnica.com/security/news...wn-contest.ars

Its too bad Chrome blows.

Bobblehead · 03-20-2009, 12:44 PM

Quote:

Originally Posted by FanIn80

Shouldn't the title of this thread be "Safari hacked in less than 10 seconds?"

Am I safe in saying that whatever vuln he used in Safari would also be present in Safari for Windows?

They are using the browser to get control of the OS.

kermitology · 03-20-2009, 01:33 PM

Quote:

Originally Posted by mykalberta

Its too bad Chrome blows.

I beg to differ.

FanIn80 · 03-20-2009, 02:35 PM

Quote:

Originally Posted by Bobblehead

They are using the browser to get control of the OS.

Right, but they're testing the ability to hack the browser to get to the OS, not the ability to hack the OS. My point, is they could probably hack into a Windows box (using the same vuln) if it was running Safari for Windows.

This is just about proving vulnerabilities in browsers, not operating systems.

(This isn't a MAC/PC thing, I'm really just trying to make sure I understand.)

Bobblehead · 03-20-2009, 03:45 PM

Quote:

Originally Posted by FanIn80

Right, but they're testing the ability to hack the browser to get to the OS, not the ability to hack the OS. My point, is they could probably hack into a Windows box (using the same vuln) if it was running Safari for Windows.

This is just about proving vulnerabilities in browsers, not operating systems.

(This isn't a MAC/PC thing, I'm really just trying to make sure I understand.)

Well, while the same exploit of the browser may exist, a different O/S may not be susceptible from that exploit. For example Windows XP is always an easier target because most people run with administrative privileges give malware makers the rights to be able to install and control the O/S any way they wish.

You are partially correct in saying this is testing browsers, but just because a browser has a vulnerability <> the O/S is vulnerable.

This competition is specifically looking for ways malware writers could gain control of the O/S, and by far he most available method is via the browser. So they took the 2 most common O/Ses and the the most common browsers on each O/S. They could have done it through e-mail, or p2p clients, but browsers are the most wide open.

So perhaps the Safari browser is just as bad on Windows, but how many people use the Safari browser on Windows? And who knows if Windows is even able to be hacked through the same spot (my guess would be yes, but perhaps Window has seen this type of attack before and already blocks it).

Incidentally, day 2 of this competition allows extensions to the browsers to look for vulnerabilities through that vector. I'm not sure how they figure that one out - how do they decide which extension to allow? Unless they are referring to javascript/flash.

I don't think this is an indictment on Macs. It isn't like one was hacked and the other O/S wasn't. But the sheer speed of the event was amazing. Even if the guy did come up with this vuln a long time ago, that just means that it could/should have been fixed a long time ago; or some malware writer may have already been using the exploit for a long time.

FanIn80 · 03-20-2009, 04:05 PM

Ohhh... now I get it. Yeah that is pretty wild actually.

Hopefully these vulnerabilities don't go ignored.

Kipru · 03-21-2009, 06:21 AM

Quote:

Originally Posted by llama64

People actually use Opera?

Only the intelligent ones.

llama64 · 03-21-2009, 10:28 AM

Quote:

Originally Posted by Kipru

Only the intelligent ones.

Guess I'm not intelligent because I couldn't understand how it's interface was anywhere as usable as say... Firefox, Safari or even IE.

Claiming intelligence based on browser choice is kinda lame imo. That's like saying BMW drivers are smarter.

As far as browsers needed to support as a web developer, I have to say Opera is about as important to my clients as Konqueror.

csnarpy · 03-22-2009, 03:03 PM

Quote:

Originally Posted by llama64

Guess I'm not intelligent because I couldn't understand how it's interface was anywhere as usable as say... Firefox, Safari or even IE.

Claiming intelligence based on browser choice is kinda lame imo. That's like saying BMW drivers are smarter.

As far as browsers needed to support as a web developer, I have to say Opera is about as important to my clients as Konqueror.

but BMW drivers are smarter!!!