It was another grim day for internet security at the annual Pwn2Own hacker contest Wednesday, with Microsoft's Internet Explorer, Mozilla's Firefox and Apple's Safari and iPhone succumbing to exploits that allowed them to be remotely commandeered. Like dominoes falling in rapid succession, the platforms were felled in the …
Linux hacks ?
There was no mention of some linux hacks there, just Firefox.
Does it mean that hacking firefox on a linux platform would be the whole platform at risk ? Or would it be just according to the current user rights ?
Thanks in advance
Paris 'cose she wouldn't know neither
Re Linux hacks ?
Without a privilege escalation it should only affect the current user's account
Re Linux hacks ?
Would the 'expert' who down-voted this care to give an explanation
A simple (and very pertinent) question and he gets multiple downvotes, really? So I guess some commentards have a knee-jerk reaction and just automatically downvote anything that happens to mention Linux, regardless of the context.
& to ZedroS: as Chemist said, without a separate privilege escalation the attacker would presumably be confined just to the rights of the user whose Firefox session got pwned.
Ex - "Former" or "Has been"
Spurts - "Drips under pressure."
Your explanation is that there are lots of 'experts' on these boards.
Beer - cause it is close to Friday. OK it is Friday someplace.
Re : Re Linux hacks ?
"Would the 'expert' who down-voted this care to give an explanation"
No ? - I thought not
what is the point
Why are you baiting the trolls? Who cares if your comment gets downvoted?
Have you entered the real world or you still love in your mum's basement? Why worry about such trivialities? It doesn't make sense.
I don't buy it. I say you're trolling for info that could easily be found by searching the net.
Re : what is the point
Someone asked a question and some of us grown-ups did our best to answer. You, on the other hand, contributed nothing.
We are a gregarious species. Those of us a with a reasonably mature and undamaged psychology place some store in what other people think of us. That you (and a lot of IT-tards) don't is testament not to your superiority, but your inability to understand and manage one of your most basic urges.
Therefore, when chemist asks why his factual response was down-voted, he is simply exhibiting a mature and well-adjusted attitude to social matters.
It is not, and never has been, cool or clever or in any way "better" to not care in the slightest what other people think; rather it's one of the key indicators of psychopathy.
How's your basement? The chains pinch much?
"or you still love in your mum's basement?"
Wrong on so many levels.
"He said he found all of them using the same rudimentary, five-line script written in Python, raising the very legitimate question: If he can find them, why haven't people working on Apple's security team found them, too?"
Because they don't get to prostitute themselves for financial gain. If Miller was really as holier-than-thou as he claims, perhaps he might just go and tell Apple, and Microsoft and Mozilla, about these hoards of flaws instead of using them to win prize money and fondle his ego.
The article does refer to Apple applying band-aids every time he emails them, so to me that sounds like he does inform them.
What's wrong with earning some cash from this? The man has to eat, and I'm damn sure Apple don't say "Thank you very much" and hand him a cheque every time he emails them an exploit. Which is a pity as I'm sure browser security would improve no end if the browser authors actually compensated security researchers for their hard work.
"Because they don't get to prostitute themselves for financial gain."
Of course they do! They work for Apple [or insert favorite tech... oh hell, make it ANY company], FFS...
Issue a patch?
"Microsoft researchers, who were present en masse at the contest, are investigating the report and will issue a patch if their findings warrant it"
Which means either in 6 years, or never.
MS consistently have been quicker getting patches for security flaws to end users than Apple or the various Linux distros. Check your facts before making such comments.
I believe MS has an average of around 16 day turn-around on fixes which is only bettered by RedHat at 12. The less said about Sun the better (3+ months!)
I think the use of the "joke alert" icon generally suggests that the post is not to be taken seriously.
"I believe MS has an average of around 16 day turn-around on fixes which is only bettered by RedHat at 12. The less said about Sun the better (3+ months!)" 
Really, if you want people to check their facts, perhaps you could do as much and tell us where you got your "facts". Was it from a sponsored study or an independent review? Did it weigh the severity of the fixes, or was a 10-day turnaround for a low-risk vuln given the same value as a 10-day turnaround for high-risk ones? How large was the sample size, and what correlation methods did they use?
I DON'T know who's been better, but that's because I DO know that all of the "studies" I've seen on this issue have either been sponsored (resulting in biased or simply hidden methodology) or poorly designed (or, more commonly, both).
The iPhone spilling its SMS database to a malicious website is a very worrying turn of events, not just for iPhone users but for ALL smartphones. Sent and received (and deleted!) SMSs are probably the most personal information most people routinely carry around with them (think Tiger Woods!) with the possible exception of emails. Bit of a wakeup call eh?
I guess the lesson we can all take away from this is, if you *really* value the privacy of the data on your phone, turn off bluetooth and wifi and never use it to connect to a website. Kind of defeats the point of a smartphone doesn't it?
A simple way to stay secure
"I use Opera, but that's basically because it has a tiny market share and as far as I know, nobody is really interested in creating a drive-by download for opera. The web at the moment is pretty scary, actually."
As always the simplest way to choose a secure platform is to keep and eye on the stats for browser and OS market share and pick a combination near the bottom.
Security by 'keeping your head down...'
"The problem Microsoft has is they have a big market share, said Vreugdenhil, the hacker who attacked IE. "I use Opera, but that's basically because it has a tiny market share and as far as I know, nobody is really interested in creating a drive-by download for opera. The web at the moment is pretty scary, actually."
Yup. I used to run a virus lab, and that's the reason I use Opera as well. That, and the fact that it's fast, and very standards-compliant....
from the horses mouth, platform doesn't matter.
5 lines of Python...shame on you Apple.
I wrote a trojan in our company's proprietary language in 3 lines of code. It's not the size that matters. Then again, I wrote an assembly application back in the days that pitch-shifted WAV files -- all in 53 bytes.
AC for OBVIOUS reasons.
This contest is flawed
yes it helps in one way..but...
Say you found a flaw 6 months ago and you may get a thankyou (if lucky) from vendor for letting them know. Or you hold onto that flaw for 6 months and then release it at the competition. Hey presto 10k / 100k and a thankyou.
So does this promote security or not?
No it isn't.
Say you had to decide between hunting for flaws or picking your bum.
Hunting for flaws nets you the best part of sod-all: Pick your bum.
Hunting for flaws nets you $10k: Hunt for flaws.
So yes, rewarding people for finding security flaws promotes security.
"Why didn't they find and fix this?"
Always love the "if I can find this bug, why couldn't Apple/Microsoft/Linux kernel developers" questions. Because they're busy building the o/s, that's why. How many operating systems have the guys mentioned in the article built and offered to the community?
And while they were building them did they fix a lot of security issues with them? Yes? Well done. But not all of them? Oh wow, would never have seen that coming.
And yes, Apple probably would find it easier to patch bugs if you share your method of searching for bugs with thme, rather than just mailing them about the individual bugs. Well spotted, eventually.
Um, not really
"Always love the "if I can find this bug, why couldn't Apple/Microsoft/Linux kernel developers" questions. Because they're busy building the o/s, that's why. "
Kind of a silly argument there. MS, Apple, etc hire *thousands* of programmers. Surely they could spare 2 or 3 for vulnerability checking.
Oh, and Charlie Miller's making a presentation on how he finds bugs. :) Wonder if Apple has any employees there to hear it?
Busy bloating the OS you mean...
"Always love the "if I can find this bug, why couldn't Apple/Microsoft/Linux kernel developers" questions. Because they're busy building the o/s, that's why. "
And this is what is fundamentally wrong with commercial products. The most important feature of any software product is to be completely secure. But when security isn't there, it's a bug fix to correct, not a feature upgrade (since it's supposed to be there in the first place). Commercial vendors need to get you to pay for an upgrade, which they can't really do for mere bug fixes, so they have to add fancy features that you probably don't need, inevitably making the products even more complex and even more insecure in the process. If they weren't in such a hurry to sell you a new version, they could spend more time getting it right before they change it into something new. "build an os?" what a laugh, they need to SIMPLIFY the OS, because an OS doesn't need to be that complex, and it's easier to secure a simple design than a complex one. Examples-- we didn't need ActiveX, or .NET, or Silverlight, or Vista, or IE for that matter, Microsoft did. Less is more.
"The most important feature of any software product is to be completely secure."
Ah - wrong. I could make a car that is made out of cement and has no engine and the tires don't turn. No one would/could steal it. But it would be an awful car. There needs to be some balance between usefulness and security.
And this is what annoys me in the Web App Sec community sometimes. Not every web app is a bank. Not everyone wants to jump through two factor auth just for a quick El Reg troll.
Yes, it's usually a good idea to carry out all the basics, checking data as it crosses app layers, access control, etc, but sometimes users would rather have the risk of user enumeration that comes with a verbose logon procedure, and sometimes a business has to respond to its users ...
Becoming a favourite target
How long before the iPhone becomes a favourite target for hackers?
It's closed nature makes it an easier target once the hackers have worked out how to get in there in the first place, the agreements are designed to keep the good guys out, the bad guys don't give a sh1t. It popularity will provide a big enough pool of victims. There are probably a lot more ways of turning a profit from a hacked iPhone particularly if they find ways to make calls or to access the GPS info, targeted ads? Muggings to order (Find me a victim walking with 1 mile of here) the prospects of being able to open up a mobile device to hacking is actually quite scary.
Even the example hack of stealing the contacts and text messages is an open invitation to blackmail. Spot texts to the wife, spot texts to the girl friend. Text victim, do these people know about each other? Would you like me to text them and explain?
Opera - the only one not hacked..
and the one hackers themselves use..
Says alot about it's security....
Opera isn't on the systems
You can't hack what isn't there.
QA costs money
Key questions for me are:
Do last year's exploits still work?
If not, it is a vaguely encouraging sign that vendors take note of this level of exposure.
Why don't vendors pay double the prize money if an exploit is directly reported to them?
That would have several useful results:
-- bugs fixed quicker;
-- more incentive for white hats to work on problems, and for gray hats to turn their results in to the vendors rather than elsewhere
-- better publicity fallout when the product withstands a hacker conference assault
-- trendy marketable claims about using crowdsourced security QA
Microsoft researchers, who were present en masse at the contest...
Oh for a photo of their faces at the moment when IE8/Win7 was felled (or should that be failed?).
Those exploits are important to me, how, exactly?
As you said: "The genius of a contest like Pwn2Own is that it exposes the insecurity of software that rarely gets exploited by criminals."
Not sure why you consider it "Genius" -- I consider it useless. If criminals are not interested to exploit the bugs, why should I care? Who, if not criminals, would exploit my insecure software to damage me?
Or, more blunt, there's a reason criminals are not interested in these exploits: They're useless. The criminals cannot do with them what they want to do.
It's precisely for that reason that this 'event' is a non-show. There's nothing to see here. Move along, folks. (Though I'm happy for the guys who won the $$$)
Market share == security risk?
"The problem Microsoft has is they have a big market share"?
Sorry, this defence of Windows' security problems gets repeated ad nauseum, but it can't be the whole story, can it? Since OSX and Linux together own about 10% of the desktop market, any reasonable person would expect there to be a pretty sizeable amount of malware (not even 0.1% of the total, let alone 10%) targeting these OSes -- especially given the fact that OSX and Linux users are far too smug to use anti-virus software. Yet there are no significant exploits against these platforms in the wild.
Yes, I have kiddy scripts banging on my Linux servers all day long, looking for security holes. But I'm honestly curious about why the Windows desktop OS (which I rarely use) reportedly falls over like a house of cards in a breeze any time a black hat breathes on it?
No, not the whole story
Obviously not. Windows has traditionally been a single-user OS where the single user runs with full admin privileges. This helps make a hacker's job a lot easier: compromise that account and you have pretty much unfettered access to the system.
Furthermore, Windows users are more biased towards the computer-illiterate end of the market. No offence - there are some very capable people using Windows - but on the whole it's your self-employed person doing their VAT and accounts, or grandma keeping in touch with the grandchildren half-way across the world via Skype that use Windows and quite frankly don't know or understand fully the security risks. These are the people that hackers really want to target. Generally, Linux users are towards the computer-literate end of the user spectrum. I have a circle of about 40 friends and family of varying degrees of computer-literacy and it is always, without fail, the "computer numpties" - no offence Melissa and Pete ;o) - whose computers I have to sanitize every couple of months; despite all the warnings about "not doing this", "not going there", "not running that." And this is despite having good security software and the latest patches.
However, having the largest market share (coupled with the above) probably is the biggest driver. If your intention is to cause disruption and generally create a bit of a kerfuffle why would you go after <10% of systems? Even if you managed to compromise 1% of those (over a period of time) it would be statistically insignificant compared to 10% of the other 90% of machines.
I would point out that I use both Linux and Windows of a daily basis. I love Linux because I love scripting and programming and it's so easy to do. But I also love gaming (and hate consoles) and I'm a realist and know that the best platform for that is the PC running Windows. I've never had a virus, never had a computer I own and manage compromised in any way, never had a problem of any sorts like that. The point is, any OS is only as safe as the person managing it and all to often with Windows, that person doesn't know what they're doing.
When you look at Apples premium pricing you can be sure OS X is used by the more wealthy segments of the computer using population.
This surly must make OS X a nice fat juicy target for malware purveyors.
Yet there has not been one self replicating virus on OS X since its inception in 2001.
"The problem Microsoft has is they have a big market share" is the biggest line of bullshit thats been heard in tech circles over the last 9 years.
With a 5 percent markett share (10 percent in the USA) You would have thought OS X would attract at least some malware. But it has none. How can this be so?
Oh and shenanigans in the computing lab doesn't count. If a threat is not in the real world then it can be regarded as nothing more than the yapping of stray dogs.
but the IPhones just be owned!...
Why hasn't OS X been targeted, even though it has more "wealthy" people? Most of the malware I have been being punted about recently is scareware (that in turn installs a back-door or the like). Scareware works off of numbers. If only 1 in 100 infected are stupid enough to actually pay for the stuff to "get protected," then attempting to infect a measely 5-10% of the computer population is just plain stupid. It is the same reason commercial game developers don't develop for Linux. If your goal is to make returns by getting it out to the largest possible audience for the least amount of effort (or in the case of malware, the highest chance of infection from a random visitor), you target the most popular OS. It's just icing on the cake that the most popular OS happens to have loads of stupid users.
I agree. In my experience, Apple users aren't any more computer-literate than Windows users. They're more likely to be non-technical professionals who want their computer to "just work". Maybe I'm just being politically correct, but it's hard for me to believe that a graphic designer who bought her Macbook Pro at the Apple Store is less likely to click links in questionable email than the burger-flipper who bought a budget PC at Walmart. And the OSX software environment is even more homogeneous than the variety of Windows installations out there.
You missed the point slightly. First, Mac is not mentioned - just Linux and Windows. Secondly it doesn't matter the amount of money Apple users have. There's just too few of them to bother with. If there are 15 times more Windows users than Mac then you need 15 times higher infection rate on the Mac to get the same net gain. It's just not worth the effort.
As for there being no malware on OSX, that's a downright lie. Just type in "OSX malware" to google and open your eyes, or go look at any AV manufactures database, for example: http://www.symantec.com/business/security_response/landing/azlisting.jsp?azid=O
So that's what puts the "soft" in "Microsoft"!
Well... Vreugdenhil was talking comparing Mac and Windows, as was I when I asked the question that started this thread.
But I think that you've actually provided the answer to my question. Sure malware for OSX exists -- just as does malware for Linux, and my router, and the network-accessible switchgear at the electrical substation down the street. But attackers DO tend to concentrate on the softest targets; i.e. those where the largest gains can be made with the least investment (money, time, technical expertise, physical access) and least risk (legal, physical exertion). And as even the resident Microsoft fan club has pointed out, Windows is hands-down the softest target out there.
So I've chosen St Bill, in hopes that the rest of us will be protected as long as Windows is, well, Microsoft.
"Yet there has not been one self replicating virus on OS X since its inception in 2001."
Does there need to be? Virus code no longer gets into computers to scramble your harddisc or display obscure political messages. It is looking to steal data. Login details, anything that can eventually be "monetized".
Okay, granted, in many cases the OS X trojans and stuff need to be given authorisation, but how many people tend to dismiss messages without really reading them? It is easy to not be vigilant, and it is even easier when stupid people say OS X is virus free. Sure, they may only be trojans, but they can hook into other programs (which is a replication of sorts), modify application data (including /apps programs), make merry havoc with instant messaging, and rip off data.
And that, my friend, is my definition of a successful attack. Not whether or not it has self-replicated, but whether or not data has been compromised. And using my definition, OS X is *not* as secure as you'd like us to believe. Oh, yeah, it is streets ahead of Windows, but not 100%. Nothing is.
For your reading pleasure, here's a link: http://www.sophos.com/security/analyses/viruses-and-spyware/osxhovdya.html and Google will find a number of others. I can't tell you if there are tens or hundreds or more for OS X because, hey, it's 4.30am and I actually don't care. But I found one compromise vector. In time, others will come. Perhaps ones of the sort where you, end user, don't have to do anything in order to get pwned.
So don't brag about never having a virus. Not having a virus is not the same as not being ABLE to have a virus.
Just another reason....
Just more proof that spaghetti software is crap and that all those people that have found ways to go in and around the "patches" should be the ones helping find all the flaws BEFORE this stuff hits the market in the first place imho.
It's a jungle out there!
No place is safe and no protection invulnerable!
... What else is new?
Security on internet facing software
It certainly seems that the current approach to browser fixes is not remotely keeping up with the exploits. Perhaps more emphasis on the following is needed:
1. On Solaris or Linux, I can do "ssh captiveuser@localhost" and then run Firefox as that user so that even if it gets hacked, all it can do is access files of the captiveuser account, which only contains the browser profile. Possibly also in a chroot/zone. So on MacOS and Windows, maybe there needs to be more emphasis on "run sandboxed to avoid damage if exploited" at least as much as "try to avoid all the bugs up front".
The recent browsers with "run plugins in a child process" represent a start in this direction, but only a start.
So it seems there's merit in trying to split things back to "basic script interpreter which can just alter window/form contents" and anything else claiming to be an app-in-a-web-page such as gmail would need special approval from the user to be enabled. This at least might limit some of the damage. I.e. a more built-in but also split-level "NoScript".
Obviously these things don't stop all of the attacks because there are many other causes including fonts, but it seems that "limit the damage" is needed at least as much as "hoping this security bug is the last".
Any word on Google Chrome, or is it still harder to exploit because of the sandbox mode?
Linux wasn't hacked because...
...it isn't used for the competition (only Windows and MacOS are for the desktops). It has nothing to do with it's security (or otherwise).
Likewise Opera - it isn't one of the browsers used in the competition (it is only IE, Firefox and Chrome). You can't very well hack something that isn't on any of the systems in the first place.