Contestants in a high-stakes hacking contest had no trouble toppling the Apple Safari and Microsoft Internet Explorer browsers, proving for a fifth year in a row that no software or application is safe from people with the expertise and motivation to exploit them. The attacks came on Day One of the Pwn2Own contest, which pays …
...also fell quickly. Why no mention of that?
I was wondering how FF performed, being my own browser of choice. Likewise Opera.
(I just prefer it, i dont believe FF is any less hackable than anything else out there)
Because these are both combinations of OS and browser by the one company (who ought to know the ins and outs as good as anyone) one might assume (wrongly as it turns out) that these would be the most secure combinations.
I'm sure the other hacks will get a mention in time
I would argue that in as a rule of thumb having a more integrated (and thus complex) system makes for a more insecure product. So in theory Opera/FF have a bit better chance of being secure than IE9 or Safari .
Anyhow the Spaceshuttle does fly better than a brick, so every theory has exceptions :) .
What year would that be then ?
"The Chrome and Firefox browsers will be the target of hackers on the second day of the contest."
Not sure if this is even a good idea but...
Shouldn't they realistically get to hack all the browsers on any available operating system?
Like FF on iOS or Windows, Safari on both, Chrome on both and so forth?
Either there are nefarious back-room deals and bribery afoot or Chrome is actually pretty damned secure.
Who'd have thought.
its because Its not a terribly tempting target for hackers at the moment due to its limited userbase.
They also seem to be the most pro-active about fixing bugs quickly.
(Something FF used to be, but seem to be not quite as good at these days, IE does once a month, sometimes, and Safari seem to do a lot less than any of the above)
Y'reckon? You don't think the extra 20k on top of the 15k standard bounty, plus the kudos from the other hackmasters would tempt anyone?
More likely scenarios (as suggested elsewhere) would be:
* bought out for 36k + job + second-hand car with odd holes in roof
* Exploit no longer works on Chrome 10
* Bizarre GooNav accident drives him into a river en route to contest
Feel free to choose, depending on your favourite shape of tinfoil hat...
* Bizarre GooNav accident drives him into a river en route to contest
lol - that is all :D
Chrome not hacked
Iirc from last year, the hackers could exploit Chrome fairly easily, but they couldn't get out of the sandbox, so the exploit was limited. I'm pretty sure nothing's changed and if someone could exploit it, they would have.
What I'd really like to see is how hackers fare against Firefox and other browsers with common plugins enabled (noscript and suchlike).
Microsoft and Apple both suck
I pronounce this flame war officially open.
Sorry, there must be an error in the article
Did you say the Apple Mac and Safari had been hacked on the first attempt?
No, impossible. Everyone knows they are "unsinkable"
IE we expect to be hacked. Apple's "security by obscurity" is clearly not working.
Why no Firefox?
Was Firefox not in the contest?
No Firefox results because it was delayed until day 2
So anyone saying that it has been hacked already is wrong.
"The contestant [to attack Chrome] never showed."
Google take browser security _very_ seriously.
"and just one to attack Chrome, which in addition to the $15,000 prize awarded by Pwn2Own sponsor Tipping Point, also fetched $20,000 from Google. The contestant never showed."
This probably means the exploit either failed, was sold for a much higher fee on the black market
or google bought him off.
I assume the worst case scenario. And 15K for an expliot that took nine months is *cheap*.
"The contestant never showed."
Chrome not hacked....
....apparently the guy is still wandering around trying to find the place, because Google maps mysteriously keeps sending him round in circles....
So why are there not Mac viruses and drive-bys out there? Or are there but we just don't realise it? Trojans is one thing but website-driveby attacks are quite another.
Here's yer title
Probably because there wouldn't be enough of a return for the criminals to go to the trouble of doing it. Hacks on windows are prevalent not just due to them being easy but also because there is a huge number of people using the system. These two factors combined result in a nice return for the criminals. As OSX is such a minority system then the return is much less so why go to the trouble.
Apparently you missed the /very public/ articles about the Safari drive-by-download they likened to "carpet bombing..."
That and it's a simple law of economics. You expect the best return by targeting the largest market. I know if I stuffed a virus on a drive-by-download site, expecting to hit perhaps 100,000 random targets (before the page is taken down by the powers that be), I'd load it with a windows virus. Why? 90,000 (90%) of them are likely to be read on a PC (vs the 5.19% Apple). Same principle applies to the likelihood of spreading (email or otherwise).
But, but but... sniffle, Macs are perfect and it was only exploited because you're all nasty nasty Windows Fanbois in the pay of Bill Gates, Our Lord Jobs would never lie to us and allow us to worship at his feet with flawed software.
And cue fanbois in 5,4,3,2.......
Pants on fire obviously....
Read the article, it has the facts in it
Did you even read the article?
Windows exploit time to develop: 6 weeks.
Mac exploit time to develop: 9 months.
The exploit on the Mac was run while the user was logged in as an administrator. Apple don't recommend this and you certainly wouldn't run your desktop as root on Linux.
Maybe you should read the article..
It clearly states he found it 2 weeks after creating the tools needed and then held on to it for 9 months.
Trying to avoid the truth...
This exploit runs under whatever priveledges your user has just like any other Trojan. While it's nice that the core system is not infected, you still have the problem that your own data could be toast or that you could be hosting all sorts of illegal content.
Not running as root does not "solve" this problem.
A Safari equivalent of NoScript might however.
Errm, perhaps those rose tinted glasses they hand out with the Koolaid to fanbois need cleaning?
Give them a wipe over and read the article properly, once you've done that I'll graciously accept your grovelling apology as a reply in the forum.
How can this be? Apple software nis perfect - ask any iPhan
Not withstanding all the expertise his billions can hire, Jobs gang still can't do the job perfectly - despite what they claim.
At least Microsoft is more realistic, they know they are not perfect and have given the the pretence, just using the hackers for a free quality check. Still after all these versions of I.E. you would have thought they would have performed better.
Nobody is perfect
Has Apple or Microsoft even claimed to write 100% bug free software that is absent of design flaws?
Nope. The difference is in how many flaws are there due to backward compatibility or ease of use. Windows was the king of backward compatibility and ease of use and they've moved back from that position with Windows Vista and 7. But there's still a lot to do.
You have to remember that these hackers are pretty exceptional at what they do. Now imagine how long it would take them to work out an exploit if they swapped places, the OSX guy tried to hack Windows and the Windows guy tried to hack OSX. It would take them a long time to get up to speed.
The fact is Windows is the platform that gets exploited the most and those people wanting to exploit the Mac would need to either buy one or use a hackintosh. Then get up to speed with it.
The sort of people who buy Macs don't intend to exploit it and ruin the experience.
How are you...
Any less of a fanboi than the 'iPhans' that you tritely and obtusely refer to? "At least Microsoft..." Yeah, yeah yeah, still nothin' but a troll. What were the house rules on trolling again El Reg?
So what does this mean for the iPhone?!?
I don't use Safari on my MacBook given it's dubious "heritage" in this competition. However, given Safari on iPhone is your only choice, what do these exploits mean for that?!? Are the iPhone version or iOS sufficiently different from the OSX version so as not to be exposed?!?
RE: So what does this mean for the iPhone?!?
Oh, and there was me thinking that Opera had a chance on iPhone. Or was that only on iPad? Or did Stevie have some other mind-altering-drug and throw them out again?
RE: So what does this mean for the iPhone?!?
Probably to an extent. I think the iOS is a small bit different than the OSX on the macbook. So the "commands" sent to the OS would need to differ once Safari has been hacked.
That's maybe also a small (but cumulative) reason why less even tried to hack chrome & FF. They could be on any OS, while Safari & IE only have the one OS to worry about.
But this really opens the flood gates for those IPhans: 2 weeks of hacking to crack Safari (which is supposed to be secure because of the "hidden" nature of the program's workings - the hacker even mentioned: "In (OS X) there is not even shell code available on the internet."), but IE took a whole: "about six weeks of full-time research to find the bugs and write working exploits for them."
... SO! ... even with more info available to the hacker it took him 3 times longer to actually get it hacked!
No Opera on iPhone?
Can Opera not be installed on iPhone? I installed Opera on my iPod Touch (from the App Store).
it's called conditioning
iphone users are conditioned not to know any other browser but those authorized by his magnificence.
Alternative iOS browsers...
DO exist, even within Apple's Walled garden.
Opera, and Snowbunny browsers. Opera does work better. Both are free. Both in iTunes store.
The real question is whether or not WebKit is susceptible.
Everybody really knows, text mode browsing is the only way to go.
Lynx for the Wind!
What self-respecting hacker
Hasn't heard of nightly.webkit.org?
Isn't that the code base that Safari is derived from?
Methinks the hacker doesn't know much about them thar interwebs
shirley you mean elinks?
tabbed browsing, scroll wheel support (yeah yeah, even for a text browser), ssh support, better formatting. plus all the usual goodies that lynx offers like tying into mutt to display html mail etc.
maybe lynx also supports some of the above, but it didn't when i made the switch many a fortnight ago.
unless, i am a complete dodo and you are referring to browsers only available in ios.
beer cos it's friday and you deserve one for mentioning lynx.
Sorry but the author of this artical does not seem to know the difference between 'principal' and 'principle'. They wrote....
"Steven Fewer, an independent security researcher and principle of security consultancy Harmony Security...."
I suspect that Mr Fewer is actually a principal of said consultancy.
Sorry just working here to protect the beauty of our language like what she is wrote.
Re: Pedant alert...
Sorry, but you do not seem to know the difference between "article" and "artical." You wrote...
"Sorry but the author of this artical does not seem to know the difference between..."
In case you weren't aware, "artical" is not a word.
Sorry, just working here to protect the beauty of your language (it's my second).
Re: Re: Pedant alert
Mr Lawrence will no doubt tell, but i'd have thought it was pretty unlikely that someone who knows the distinction between principle and principal doesn't also know how to spell article, so the "artical" is probably just a joke that you didn't get.
Symbian - Nokia?
I know Nokia has signed up with the boys of Redmond but has it suddenly become so irrelevant that it no longer rates in a hack fest?
Sounds like discrimination. Either that or Symbian is bullet proof!!
“We have the same privileges as the user who visited the webpage.”
And that's the rub.
If the victim is logged in as an Admin then they get access to most of the Mac, except the System folder, hence why this is a bad idea. If they are logged in as a "normal" User, they can only play in their own Home folder. Limited Users have even less access and Guests have almost none. Very unlikely that they'd be logged in as root.
I still say that OSX should require that every Mac has a minimum of 1 Admin and 1 other type of user and that it makes a point of instructing people to only use the Admin account when necessary.
Is the OS that important?
It depends on what is more important to you. I couldn't care less if I lose my OS as it is easy enough to reinstall. My data on the other hand, which would be accessible as the hacker has the same permissions as me is a totally different story. I would say it is far worse to give them access to your personal files as you don't know what would happen after that. How many people (myself included) have enough in there to give an identity thief an easy ride? CVs, letters to family, saved emails, rude pictures of the girlfriend etc.
You're holding it wrong.
the "sent from my iphone" signature
So, you now have access to the system through an account; next hack run is privilege escalation exploit.
Once you're in the system remotely you're in the system, regardless of the account you happen to have wheedled your way into.
Doesn't matter what system you're attacking, the exploit methodology is the same; get into the system, escalate privileges, control system.
A couple of quotes in the article stood out.
"...proving for a fifth year in a row that no software or application is safe from people with the expertise and motivation to exploit them."
They've proven nothing of the sort. They've proven that certain applications are vulnerable. I assume from the lack of coverage that (as in previous years) they didn't even bother to run the "crack a bare OS" contest because no-one can actually do it anymore.
" “Every browser, every operating system, has its own vulnerabilities,” said Chaouki Bekrar, CEO of Vupen Security"
Again, a massive and inaccurate generalisation from a handful of actual data points. If these idiots can't even secure their own mouths against sewage outflows, why should we trust their advice on OS security?
Safety in Opera
As mentioned by a couple earlier, it should be clear, if you really want security while browsing, use Opera.
While I'm certain it's exploitable, it's had a strong record of minimal vulnerabilities, but also Opera's time-to-patch is very fast. Their 15-yr history of browser design expertise on the desktop and 3000 different handset models, is quite impressive.