back to article Safari zero-day exploit nets $10,000 prize

A New York-based security researcher spent less than 12 hours to identify and exploit a zero-day vulnerability in Apple's Safari browser that allowed him to remotely gain full user rights to the hacked machine. The feat came during the second and final day of the CanSecWest "pwn-2-own" contest in which participants are able to …

COMMENTS

This topic is closed for new posts.
  1. Victor Szulc

    Of course...

    Well that was bound to happen. Ubuntu probably uses their own shite on their servers, so no wonder a crappy OS like Linux buckled under the moderate pressure.

    Yes, light to moderate pressure: There's probably more people out therre that still run DOS/Windows 3.11 than there are Ubuntu-users.

    There's no way a couple of hundred basement-dwelling Linux fanbois who want their newest unix-fix, can bring down a website just because of traffic alone. Trust me, it's the OS. It's ALWAYS the OS!

  2. Victor Szulc

    Yup...

    So much for security-through-obscurity. Should be obvious by now, that mac's aren't technically more secure than Windows machines. Especially after the Intel-switch.

    The only security advantage, is the fact that it's a pretty obscure platform. Why write an exploit for a couple of million macs, when you can write it for a Windows machine and reach hundreds of millions of victims?

    The one period where I was forced to use a mac, it crashed on me a couple of times a week. (The kind of crashes where you have to yank out the powercord to use your machine again.)

    It's nice to know though, that switching to a shite platform like Macintosh won't make you any more secure. Should force quite a few people to rethink their porn-habits...

  3. Murray Pearson

    Oh, give me a break.

    Nobody who's knowledgeable says Macs are invulnerable. They just have a modicum of security which is very hard to achieve on Windows. Moral of the story? DON'T USE SAFARI, it's a piece of poo; use Firefox.

  4. Clay Garland

    This contest is dead.

    These guys simply changed the rules when the results of the test weren't suiting them. This isn't a real honeypot contest like it was originally purported to be.

  5. sail

    95% of exploits are application based

    Applications are the biggest threat to any computers security.

    And what's worst is giving programs administrative (aka sudo "root) access to install "hooks" or other marketing gleaming code deep into a operating systems workings.

    Developers don't give a rats behind about securing their code, they are run by marketing departments and they already have your money, so little is motivating them.

    Apple needs to wake up and better compartmentalize their operating system security.

    As a longtime Mac user, I am APPALLED at the crap of security the Mac OS and Apple apps has turned into.

    Don't get me started about EFI....

    ( a powerful firmware environment that can contact the internet and download even before the OS has even loaded? Insane !!!)

  6. Scott

    Well, duh

    Hang on a minute here.

    What was the original purpose of this contest? To create a no user interaction hack.

    So, what did they target? Javascript exploit through Safari.

    Yeah, so what? Java is being targetted at the moment, in which Safari uses it. I would suggest that the same exploit "could" happen with ANY browser that uses Javascript.

    Hell, it's happening on Windows, Linux and now this alleged "contest" has found the same for Macs.

    Did I just feel my earth move slightly? NO!

    Let me know then there's a PROPER malware and/or virus threat on the Mac that KILLS THE Mac COMPLETELY.

  7. Anonymous Coward
    Anonymous Coward

    12 Hours????

    Was a little confused by the title as ZDNET US had an article saying that the mac had actually lasted the first 2 days.

  8. Cyberspice

    I used a PC once...

    ...it didn't even have a UI. Just text based applications. It only had 640Kb and a floppy that held 360Kb.

    Macs and PCs have been around so long that everyone has had a bad experience. I basically wouldn't touch a PC, prefering my 32bit Acorns at home and a Mac at work, until Linux and Windows 95/NT4 came a long. Then over the remainder of the 90s Macs got steadily worse and Windows got steadily better to the point that XP Pro isn't too bad and I only have to reboot once a week. Then OS-X came out and a whole new situation with it. That, and the falling hardware price, is what got my to move to Mac at home.

    Linux is about 15 years old, 32 bit Windows is 12 years old, OS-X is 7. But the lower levels of OS-X are BSD and suffer the same insecurities that any other OS using GNU libraries, applications and utilities do so not really many at all. The application layer is newer and that's what they hacked. The question is how does the security of that layer compare to say Linux or Windows?

    There is no one true OS. Each has their advantages and their floors. OS-X suits me at home and Linux suits me for my development work. I use XP on the rare occasions I play games.

  9. Sean Healey

    cross-platform vulverability

    I agree with Scott ...

    ... This contest seems to have simply proven what I've suspected for some time - Java and Javascript is a cross-platform weakness which is exposing the more secure systems to abuse in ways they are not natively vulnerable. I think this ties in with the comment that 95% of exploits are application based...

  10. Rich Harding

    For heaven's sake

    IT professionals, particularly those of us who work with high-volume websites, are used to using various flavours of OS out of necessity, and we want to know about this stuff.

    This is not some Blur vs Oasis chart pissing contest.

  11. Robert Grant

    Who is this Victor...

    ...and why does he think talking about Ubuntu is at all relevant here? And why does he think security by obscurity is having a low-target OS, rather than having a closed-source OS?

    I don't understand, and I normally wouldn't care, but his rambling seems to be spreading around these comments a bit.

    Victor:- Reasoned argument? Yes, great, disagree all you want. Ranting clothed in crap English? Mmm...not so much.

  12. Andy Tyzack

    Here we go again

    We only have this persons word that the machine was hacked,

    why cant people just face the fact that a mac is a 1000% better than windows, people should spend more time fixing windows that pointlessly trying to rubbish the mac platform.

  13. Ron Eve

    Smoke and mirrors

    "The one period where I was forced to use a mac, it crashed on me a couple of times a week. (The kind of crashes where you have to yank out the powercord to use your machine again.)"

    Per-lease! How old are you? 12? If a car broke down twice a week wouldn't you suspect maybe it needed FIXING.

    Anyway, as pointed out elsewhere, they changed the rules so that you had to interact (read: let the hack happen) when it was fairly obvious it was going to be too difficult (note: I'm not saying impossible).

    The Mac OS is without doubt more secure than Windows. The fact that there are no viruses or trojans for Macs is nothing to do with how many (or few) of them there are in the world. I bet there's more than a few dickwad hackers out there who'd love to rub dirt into smug Mac users faces by creating a virus or trojan, but just can't 'hack' it! (sorry)

  14. David

    Lions and tigers and porn... Oh, my!

    I don't know about Victors porn cruising habits but mine have never crashed a Mac. That has to be some serious one-handed surfing! Power plug pulling, even!

  15. Cliff

    Honeypots don't mean much if they're empty

    I don't see the 'rule change' as indicative of anything beyond 'Why Bother for $2k?'. Would I give up 24h of my life to target a bit of hardware that others are attacking at the same time to only win that same bit of hardware? Hardware's cheap, and I don't want a Mac. That doesn't mean that mac's are safe, which would be the apparent marketing result of nobody being bothered to break into one for a chance at winning some hardware they don't need.

    Make it about some sensible money, and ears start pricking up. Make it real-world, and they do even moreso. Apple sell macs on the basis that they come with everything you need already installed in one big apple love-in (itunes, ipictures, ivideo or whatever they call it - they run billboard ads to the same message about how integrated it all is...), so if a bit of that pre-installed 'ware has vulns, that's only fair to attack them.

  16. David Tonhofer Silver badge

    And this on a sunny Saturday afternoon.

    a) Do we really need to read stories that sound as if they had been written by the RNC or Bill O'Reilly himself? "tired claims from Apple and its many lackeys" ... BARF!

    b) "Remotely gain full user rights to the hacked machine" and "client-side javascript error that executed arbitrary code when Safari visited a booby-trapped website". I surmise if the user runs his browser as "root"? Or has the browser been made setuid root now? LAME!! If not, provide more information. NOW!

    c) Comments. What's an arbitrary dumb rant againts Linux doing in the comment section of an article about compromising Macs? TRIPLE FAIL!!!

    Full disclosure: I don't have any Macs around me.

  17. Steven Hewittt

    What?

    Andy: "why cant people just face the fact that a mac is a 1000% better than windows."

    What makes me smile is that the Mac community are the first to shout about the malware and viruses out there for Windows. Guess what - they nearly all need user interaction!!

    No OS is secure. They're all very, very good with security - it just takes a stupid user to break it all. This contest proves that - if people wanted to target the few percent of computers out there that ran Mac OS X then they could.

    Yes Mac fanboys, you OS isn't amazingly secure. Nor is Linux, nor is Windows, nor is Symbian OS 9.

  18. Anonymous Coward
    Anonymous Coward

    Who left the door of the asylum open?

    ... and let all these pseudo (note: that's how it's spelt) religious maniacs out?

  19. Anonymous Coward
    Anonymous Coward

    Humerous...

    So yeah.... I've been eyeing all the mac attack news reports for some time now... being a mac user myself.... and windows... and linux... (overkill geek anyone?)

    EVERY SINGLE frakking apple hack report all had the same stuff:

    1: You had to be a total idiot to get hit

    2: Same as 1 with a reminder built into the OS (Are you sure?)

    3: No documentation on the actual event and proceedrue

    4: Proof of concept

    and Im sorry....but if you crash a mac... your dumber than you look.

    I've have never seen an Mac OS-X "hard crash" ever.... its been years!

    I've seen application hang ups.... but never have I seen the OS-X kernel go into "panic".

    You know that funny little 3 to 4 langauge message telling you to restart? that was the last time I've seen it crash.... that was like.... OS-X 1.x or something.

    All those people who say "HAHAHAHA macs are easy to break in to" and the people who say "macs are invunerable" should go back to school and study operating system design and stucture not to mention linux OS systems before they open their slime ridden mouths with very little IQ to boot.

    OS-X security breeches (if any) fall under the same categorey of Linux ones.... they are very difficult due to the nature of the system... and require stupid users to help ti along... non user interaction my ass... there are a number of things you can do to prevent that sort of thing from happening.

    Not to mention the fact this particular breech was patched immedately.... thats more than I can say for windows.. who patches the patch that was patched.... only to patch it again.

    I won't deny Apple being foolish about certain practices in coding... but at least they are a long ways off being meeting windows level of stupidity.

    The other thing is i noticed it took 24 hours plus to do this.... funny... the average life span of a windows getting an infection is what... 5 minutes?

    When is the IT industry going to wake up and stop looking like a bunch of stockholm syndrome cases?

    Yes.... given enough motivation (10 smacking big ones) and enough caffieene... you'll find that hole your looking for... if you have the attention span for it.

    But funny enough... people don't bother because it takes too much effort.... they find it more lucerative to go after windows... because its easier...

    Dont' give me any of that statistical BS.... its just easier... and that is the bottom line.

  20. Anonymous Coward
    Anonymous Coward

    What?

    Who writes this stuff? More honest articles on the subject have clearly pointed out that the mac survived the first 2 days with no one being able to successfully hack it. They then changed the rules until they were able to find a way to hack it using a booby-trapped website and a java script expliot.

    This is not indicative of the insecurity of the Mac OS, this is indicative of the fear mongering of irresponsible web reporters. OS 9 had a small market share but there were at least a few viruses for it. OSX has a larger marketshare but has no known viruses in the wild. This, to me, is a clear example of how the small market share myth is false.

    Please do your research (or write honestly) when you write these articles.

  21. Simon

    Mac more secure?

    "The fact that there are no viruses or trojans for Macs is nothing to do with how many (or few) of them there are in the world. I bet there's more than a few dickwad hackers out there who'd love to rub dirt into smug Mac users faces by creating a virus or trojan, but just can't 'hack' it! (sorry)"

    In a very real sense, hacking is about numbers - The bigger the number, the more money can potentially be made...Yes, there probably are "dickwad hackers" who would love to hack Macs and cant because they dont have the know-how...

    Unfortunately, its not the "dickwad hackers" you have to worry about, its the professional hackers...And for those people, it makes sense to target the largest population base that you can (you make more money)...

    If Apple were serious about proving how secure their OS is, they would setup a honeypot with a real reward...They would also advertise it widely, rather than just have a token act at a conference for the media to report on...However they wont do that, because the amount of effort people would have to put in to learn enough about the system to remotely hack it without input from a user, they're gonna put that knowledge to use to create more exploits in the future, which means Apple will find a lot more exploits coming out and more quickly...

    If that happens, they lose just about the only thing they can market their PCs on...

  22. Graham Lockley

    sanity

    'There is no one true OS. Each has their advantages and their floors. OS-X suits me at home and Linux suits me for my development work. I use XP on the rare occasions I play games'

    I dont agree 100% with the choice of OS but thank god for some sanity amongst the flames. There is no truly secure OS, once a computer is turned on its vulnerable, never mind connected to network. OSX and Linux (by the nature of their roots) are inherently slightly more secure platforms but NOT bullet proof. Regardless of the OS used we each make a decision about relative security when we connect to the Internet, for some XP is the right balance between security and usability and for others its not.

  23. Thomas Vestergaard

    Javascript is inherently insecure - apparently

    Ain't it incredible how any article about problems with some OS or browser always leads to tedious and stupid arguments about "my OS/browser is better than yours"?

    So before writing something like that, please consider such comments only make you look stupid.

    Another things that makes you look stupid is to confuse Java and JavaScript - they are NOT related! If you don't understand their respective technology, then just assume Java is secure and JavaScript ain't!*

    Alright, now lets take a better look at what this is really about...

    Do you know any OS/browser which haven't suffered a arbitrary code execution JavaScript exploit?

    Lynx on OSX ain't, but that is probably because it doesn't have support for JavaScript and neither because the Internet Software Consortium is a hell of a lot better than most guys at writing software nor because it is run on OSX.

    No one have yet managed to create a secure JavaScript interpreter, thus the only conclusion one can really draw from this kind of news is that the guys within static analysis and program verification should receive more funding. ;-)

    Oh well, the real conclusion should probably more along: "JavaScript sucks".

    *: And nothing is absolutely secure - this is from a architectural point of view.

  24. Anonymous Coward
    Anonymous Coward

    re. What

    re. What? Who writes this stuff? More honest articles on the subject have clearly pointed out that the mac survived the first 2 days with no one being able to successfully hack it. They then changed the rules until they were able to find a way to hack it using a booby-trapped website and a java script expliot.

    This is not indicative of the insecurity of the Mac OS, this is indicative of the fear mongering of irresponsible web reporters.

    Please do your research (or write honestly) when you write these articles.

    ==============

    This post says it all -- thank you. Is there some fear by techies who are paid to support Windows at work, university, etc. that computers could actually become easier to maintain and thereby undermine the existence of MSCE certified personnel? They don't have to help the Mac users at work, and are kept busy fixing Windows PCs. Maybe Windows is getting more reliable too. Hmmm.. let's think of another crisis. Year 2000.. oh done that. How about saying that Macs can be exploited; after all, Bill Gates recently claimed this is done on a weekly basis. C'mon - get real!

  25. Anonymous Coward
    Anonymous Coward

    RE: Lions and tigers and porn... Oh, my!

    ..I fully support David's statement: OSX is a wonder platform for one handed porn surfing.

    I wonder why nobody introduced a specialized pointing device with a head mounted laser pointer, that would be the only real needed improvement!

    With all the money I save not having to fund the likes of Symantec and Trend Micro I could afford to buy such a new device ;-)

    Seriously: it seems to me that a platform security is not inherently built in its internals and OS: is just a combination of it plus the effective spread of exploits and the way they are used.

    Under this view (that you might not share) Windows is surely more vulnerable than OSX.

    And it does not matter if OSX or Linux achieve a better security through obscurity or by wizardry, they simply scoring better.

    But then if you want to run some serious client apps.. Well that's another story.

    GaB

  26. Ned Fowden

    Good grief....give it a rest

    the fact that there is more and more stories now of mac related virus/malware/trojans incidents just proves that the potential is there.

    The 2nd fact is that Apple have worked harder on their OS security than MS, but the 3rd and final fact is one that someone has already mentioned in these comments

    almost all these exploits still need user interaction for them to be successful across ALL platforms.

    lets see you hack my PC behind all my closed doors, it won't happen and just because mac includes the basic securities doesn't make it better, just smarter from the outset

  27. Dennis Price

    Side Note....

    I do enjoy watching "Dodgeball" and watching Ms. Macboy get the crap knocked out of him....

    lmao

    And as an observation, the only time I've gotten ANY virii on a Winders OS in the past ten years was when my ex opened "trusted" email from a friend of her's - go figure.

  28. Dillon Pyron

    Javascript ...

    is a tragedy waiting to happen. Use the right plugin in Firefox and that problem goes away. Stay away from root and the problem goes further away.

    Too many applications, in all the OSes, seem to require elevated privileges to install or even run. So we just crank 'em up. Vista makes a mighty swing at this, but too many people are going to get fed up with all the "are you sure?" and just turn themselves on all the way.

  29. Anonymous Coward
    Anonymous Coward

    Java/JavaScript

    From all I have read, this is a Java exploit only. Hence, it can affect any browser, any platform.

    "to confuse Java and JavaScript - they are NOT related! If you don't understand their respective technology, then just assume Java is secure and JavaScript ain't!*

    Thomas, I heard it was the other way around. Java is not secure, and JavaScript can just be a bit flaky.

  30. Blain Hamon

    More details: Quicktime and Java

    http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/

    Hunh. Turns out it's some interaction between Quicktime and Java. So if you use MacOSX and Safari, or MacOSX and firefox, or Windows and IE, or Windows and Firefox, and you have Quicktime (read: iTunes) installed, you can get hit. If you disable Java (Not Javascript), you are not affected on either platform. Is this the premise of write once, run anywhere?

    I see the old excuse of market size has been brought out again. While it might be a contributing factor, there's a few counterexamples. The "What?" post has already covered the MacOS 9/X one. I've actually seen Sevendust in the wild on an iMac running 8.6

    Furthermore, SQL slammer had a target population of 100K, and the Witty worm had a target population of only 12K. Apple shipped 1.6M Macs in 07 Q1 alone. Were it purely a function of market share, why haven't there been 3-30 worms a month for MacOS X? Especially considering how fast, virulent, and devestating SQL Slammer and Witty were, despite having a market several orders of magnitude smaller than MacOS X.

    http://www.caida.org/analysis/security/witty/

    http://www.caida.org/analysis/security/sapphire/

    Is MacOS X fully secure? Is Safari? Firefox? Linux? No. Of course not. To claim otherwise is folly. (Andy, you're frothing at the mouth. Remember, we're supposed to be good fanboys. No rabies) Should we simply declare the field level, and simply chalk up IE and ISS's woes to larger market share? Neither that, because it wrongly removes responsibility.

    But does this really matter? Should we celebrate other systems' misfortune? No. Worms and other such things affect my systems and servers, even if they never touch or infect them; It adds more strain to the network, and can crowd out legitimate traffic. In this regard, no system is immune to the effects. Should we always strive for improving security? Yes, yes, a thousand times yes. Infighting and OS wars blind us to this fact, that it's everyone's problem.

  31. Andy Tyzack

    Take note

    All these people who talk about mac os x (and call the experienced users mac fanboys) have never used mac os x in their life!

This topic is closed for new posts.