Linked by Thom Holwerda on Thu 19th Mar 2009 06:44 UTC, submitted by Moulinneuf
Privacy, Security, Encryption As he had already predicted, cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition. "It took a couple of seconds. They clicked on the link and I took control of the machine," Miller said after his accomplishment. He took home the USD 10000 prize, as well as the MacBook he performed the exploit on. Internet Explorer 8 fell a while later by cracker Nils, who also cracked Safari and Firefox after being done with IE8.
Order by: Score:
How embarresing!
by sc3252 on Thu 19th Mar 2009 07:10 UTC
sc3252
Member since:
2005-09-06

All I have to say is it couldn't happen to a more deserving company. Apple elitist attitude just astonishes me.
A good example of this is the charge of $10 to enable bluetooth on itouch players.
http://www.dailytech.com/article.aspx?newsid=14611

Of course I am still interested in seeing if firefox and internet explorer will get cracked, but this just takes the cake for me.

Edit:ugg, not as great as I thought.
http://blogs.zdnet.com/security/?p=2934
looks like all of them fell, so... Whatever at least apple went first.

Edited 2009-03-19 07:13 UTC

Reply Score: 4

RE: How embarresing!
by Liquidator on Thu 19th Mar 2009 11:37 UTC in reply to "How embarresing!"
Liquidator Member since:
2007-03-04

I'm surprised Safari fell first... Nothing about Opera. Maybe it's not unsecure enough for the fun ;)

http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=6221...

Reply Score: 2

RE: How embarresing!
by lqsh on Thu 19th Mar 2009 13:15 UTC in reply to "How embarresing!"
lqsh Member since:
2007-01-01

Wow, I guess I have to throw out my (family's) three stable/reliable/worry-free MacBooks now and switch back to the Windows/PC nightmare ;)

Look, Mac hardware/software is not perfect, but its much better than PC/Windows security defense routine, and the annual Windows reformat.

Reply Score: 3

RE[2]: How embarresing!
by mightshade on Thu 19th Mar 2009 16:03 UTC in reply to "RE: How embarresing!"
mightshade Member since:
2008-11-20

and the annual Windows reformat.

I don't know anybody who does that, and I don't see a reason to. Well, maybe except if you somehow have the irresistible urge to install and test any software you stumble across.
It's a myth, so stop spreading that.

Reply Score: 4

RE[3]: How embarresing!
by polaris20 on Thu 19th Mar 2009 16:49 UTC in reply to "RE[2]: How embarresing!"
polaris20 Member since:
2005-07-06

"and the annual Windows reformat.

I don't know anybody who does that, and I don't see a reason to. Well, maybe except if you somehow have the irresistible urge to install and test any software you stumble across.
It's a myth, so stop spreading that.
"

I do it every year. Of course I just image it in 20 minutes using free tools, because reformatting and building from scratch would be uncivilized. ;)

Reply Score: 3

RE[3]: How embarresing!
by Mellin on Sat 21st Mar 2009 21:28 UTC in reply to "RE[2]: How embarresing!"
Mellin Member since:
2005-07-06

i have to do that to peoples PCs after they fill the harddrive with windows malware

Reply Score: 2

RE: How embarresing!
by Ford Prefect on Thu 19th Mar 2009 13:44 UTC in reply to "How embarresing!"
Ford Prefect Member since:
2006-01-16

What have Apple's pricing decisions to do with the security of their browser exactly??

Do it like me: If you don't want to spend that money, then just don't!

Reply Score: 2

RE: How embarresing!
by aphistic on Thu 19th Mar 2009 15:22 UTC in reply to "How embarresing!"
aphistic Member since:
2005-07-07

A good example of this is the charge of $10 to enable bluetooth on itouch players.
http://www.dailytech.com/article.aspx?newsid=14611


You make it sound as though all you get for your $10 is bluetooth, which is completely untrue.

Apple's not doing anything other software companies haven't done before.

Reply Score: 2

RE: How embarresing!
by Chicken Blood on Thu 19th Mar 2009 19:58 UTC in reply to "How embarresing!"
Chicken Blood Member since:
2005-12-21

How embarrassing - not being able to spell embarrassing.

Reply Score: 3

Sad to say
by kaiwai on Thu 19th Mar 2009 07:10 UTC
kaiwai
Member since:
2005-07-06

I'm not surprised that it has happened; Apple hasn't seemed to learn a single thing; they introduce garbage collection with Objective-C and yet none of the components of Mac OS X use it, they introduce ASRL and again very few components use it.

It will be interesting to see how it was cracked - and hopefully Apple will wake up and do something about the security issues in Safari and Quicktime (which is another one which has had numerous security alerts).

Reply Score: 8

RE: Sad to say
by evangs on Thu 19th Mar 2009 07:29 UTC in reply to "Sad to say"
evangs Member since:
2005-07-07

I think it'll be quite a few years before we see Objective-C 2.0 adopted throughout all of Apple's software. I mean, look at .NET and how prevalent it is in Microsoft's offerings. A decade after it's been introduced, the majority of their software is still Win32.

I hope Apple will spend considerably more effort in pushing Objective-C 2.0 adoption.

Reply Score: 6

RE[2]: Sad to say
by Alexco on Thu 19th Mar 2009 08:15 UTC in reply to "RE: Sad to say"
Alexco Member since:
2006-05-25

Garbage collection alone does not increase security. And Objectve-C 2.0 runs only on Leo, but Safari has to work on 10.4, too.

Reply Score: 2

RE[3]: Sad to say
by Kroc on Thu 19th Mar 2009 08:18 UTC in reply to "RE[2]: Sad to say"
Kroc Member since:
2005-11-10

Obj-C 2.0 is just the language, the compiled binaries can work on 10.4, only XCode 3 requires Leopard. Garbage Collection is opt-in on Leopard, and a separate binary for 10.4 wouldn't include it.

Reply Score: 3

RE[4]: Sad to say
by Alexco on Thu 19th Mar 2009 08:40 UTC in reply to "RE[3]: Sad to say"
Alexco Member since:
2006-05-25

As you said:
a separate binary.
I doubt that Apple would release two versions of Safari for OS X

Reply Score: 1

v RE[2]: Sad to say
by werpu on Thu 19th Mar 2009 09:22 UTC in reply to "RE: Sad to say"
RE[3]: Sad to say
by google_ninja on Thu 19th Mar 2009 12:16 UTC in reply to "RE[2]: Sad to say"
google_ninja Member since:
2006-02-05

The problem in the case of .net isn't performance, it is several thousand man years worth of legacy code. Anything new is done in .net.

Anything in the GAC (global assembly cache) only gets loaded once, which includes the core libraries. Also, there is only ever one runtime running (as opposed to java/ruby/python/etc), and individual programs are segregated into "AppDomains" under that single runtime.

Reply Score: 5

RE[4]: Sad to say
by ba1l on Thu 19th Mar 2009 15:39 UTC in reply to "RE[3]: Sad to say"
ba1l Member since:
2007-09-08

Also, there is only ever one runtime running (as opposed to java/ruby/python/etc), and individual programs are segregated into "AppDomains" under that single runtime.


Except when it isn't.

Application domains can be used to host multiple applications inside a single OS process. However, the app domains are implemented as multiple copies of the .NET VM running inside a single process. Even if you have a single process with 10 application domains, you still have multiple VMs, which are deliberately kept isolated from one another. Big deal - pretty much any VM runtime can do that.

That's how the .NET VM is hosted inside SQL Server, how it's used in IIS for ASP.NET websites, and how it's hosted as a COM object inside other applications.

However, that's not how most .NET applications run. If you run a .NET application, a new process will be created, creating a new instance of the .NET VM along with it.

What it can do is pre-compile the assemblies in the GAC to native code. That way, the native code can be shared by any application using it - the runtime just mmaps the code to memory, and the OS just maps the same block of memory into each VM's address space.

That's something that other VMs don't do yet, although I believe Sun were working on some sort of JIT cache for Java that'd perform the same role.

Reply Score: 3

RE[5]: Sad to say
by google_ninja on Thu 19th Mar 2009 15:55 UTC in reply to "RE[4]: Sad to say"
google_ninja Member since:
2006-02-05

However, the app domains are implemented as multiple copies of the .NET VM running inside a single process. Even if you have a single process with 10 application domains, you still have multiple VMs, which are deliberately kept isolated from one another. Big deal - pretty much any VM runtime can do that


You learn something new every day ;)

I was under the impression that while appdomains were heavy, it was less overhead then to run multiple java apps. Guess there isn't all that much of a difference other then the shared memory bit.

Reply Score: 2

RE: Sad to say
by Kroc on Thu 19th Mar 2009 07:36 UTC in reply to "Sad to say"
Kroc Member since:
2005-11-10

I'm not surprised because they attacked the browser. Lame.

Browsers have to parse a near infinite combination of good and bad HTML, Javascript and many other formats. The browser is the biggest and most potential attack surface a hacker has to play with.

Seriously, cracking browsers is boring -- I wanted to see direct attacks against the OS and *then* see how well it stands up. Remember the Mac Mini that was left open to the net for 48 hours? 500'000 direct attacks, and not one successful.

Reply Score: 3

RE[2]: Sad to say
by Thom_Holwerda on Thu 19th Mar 2009 07:42 UTC in reply to "RE: Sad to say"
Thom_Holwerda Member since:
2005-06-29

Weakest link in the chain, Kroc.

Reply Score: 8

RE[3]: Sad to say
by Kroc on Thu 19th Mar 2009 08:08 UTC in reply to "RE[2]: Sad to say"
Kroc Member since:
2005-11-10

A self-propagating Mac virus is not going to be very successful unless it can spread via other means than just the browser. It may enter via the browser, but going machine to machine is going to need to be more clever than that.

The patch for this flaw will be released, and this whole thing would have been nothing but one big ego-trip for the hacker, with no profound meaning.

Are we to expect to shower the grey-hats and white-hats with attention and prizes for every browser bug they find? No, finding and reporting browser bugs should be humble work, and many hackers are humble enough to do it this way, letting the vendor know early and giving them time to resolve the issue.

This competition is just to sensationalise and rile up the haters and the ignorant over a matter that should be handled much better.

-- PS. Both Webkit and Gecko are open source engines, if the guy weren't a pr!ck, then he would have filed the bugs and provided patches. This competition just waves money in front of hackers faces and says "Hey, don't contribute to the safety of everybody online, when you can have all this money, and your name splashed across the news for days!".

This is disrespectful to the end user, the person who we tend to forget, is the most important person in front of the computer.

Edited 2009-03-19 08:14 UTC

Reply Score: 4

RE[4]: Sad to say
by oxygene on Thu 19th Mar 2009 09:30 UTC in reply to "RE[3]: Sad to say"
oxygene Member since:
2005-07-07

This is disrespectful to the end user, the person who we tend to forget, is the most important person in front of the computer.

Huh? "the most important person in front of the computer"?
Probably for companies that have to care about their market share. But for some random Joe Hacker?

Reply Score: 1

RE[5]: Sad to say - I'm an end user
by jabbotts on Thu 19th Mar 2009 13:05 UTC in reply to "RE[4]: Sad to say"
jabbotts Member since:
2007-09-06

As a tech professional and an end user, I think things that benefit my computing experience are pretty important.

My grief with large software companies is not that they are successful but that they continue to make decisions in favor of the shareholders at the expense of the end user. A better balance between profits and product quality could be struck but that doesn't maximize shareholder equity payouts.

Apple has a vested interest in appearing invulnerable. It's BS marketing and company insecurity but the network stack bug that "didn't exist"... They braught in lawyers to silence the researchers that tried to report it. Then quietly a month later, a patch for the network stack and drivers apears in the osX Update utility. Microsoft also suffers from the idea that publicly announced bug counts are a discredit to marketing so it's more important to push blame on to third party developers rather than fix the OS flaw that the third party apps keep getting exploited through. Neither of these things benefits the end user.

As an end user, I want new features to benefit me rather than be purely to give the appearance of a new product we all have to upgrade too. As a technology professional, I want things that make my users computing life easier and safer. As a security professional specifically, I'd like nothing more than to work myself out of a job. My goal is to arrive at work and find out that there are no risks to mitigate or future risks to plan for because of end user education and product quality; luckily, I have many years of employment before that's likely to happen.

It's all about the end user; either myself or the people I support. (but yeah, it's sad that the end user is just a wallet to come of the biggest retailers)

Reply Score: 5

RE[4]: Sad to say
by Soulbender on Thu 19th Mar 2009 11:50 UTC in reply to "RE[3]: Sad to say"
Soulbender Member since:
2005-08-18

This competition is just to sensationalise


On that we can agree. It even has an incredible lame name to prove it.

Reply Score: 3

RE[2]: Sad to say
by darknexus on Thu 19th Mar 2009 07:42 UTC in reply to "RE: Sad to say"
darknexus Member since:
2008-07-15

The browser is also one of the most likely targets for an exploit, precisely because it's often so vulnerable and because it is one of the most used components of the operating system. No matter how boring it is, it's still significant, and full os security isn't worth jack if the browser is insecure.

Reply Score: 13

RE[2]: Sad to say
by Soulbender on Thu 19th Mar 2009 07:48 UTC in reply to "RE: Sad to say"
Soulbender Member since:
2005-08-18

I wanted to see direct attacks against the OS and *then* see how well it stands up.


Who cares when you can take *control of the machine* via the browser?

Reply Score: 12

RE[3]: Sad to say
by macUser on Thu 19th Mar 2009 16:13 UTC in reply to "RE[2]: Sad to say"
macUser Member since:
2006-12-15

I'd be curious to see what the system setup was as I didn't see that in the original article.

Was this user an admin user or a non-privileged user? Does that matter for the exploit (guess we'll find out when the patch is deployed)

Being the first to fall really doesn't mean much to me, all it means is that someone with a working exploit went to that machine first, vs the other machines. I see Safari, IE and Firefox all went down today...

Reply Score: 1

RE[2]: Sad to say
by Karitku on Thu 19th Mar 2009 07:49 UTC in reply to "RE: Sad to say"
Karitku Member since:
2006-01-12

Pretty poor excuse giving fact that browser is most used program in any computer and major reason why so many people use computers in home.

Reply Score: 8

RE[2]: Sad to say
by Valhalla on Thu 19th Mar 2009 08:00 UTC in reply to "RE: Sad to say"
Valhalla Member since:
2006-01-24

In order to remotely attack a machine you need a way to deploy that attack. These days most operating systems (even windows) have realized that keeping alot of default ports open (listening) is stupid. So the best way to deploy your attack is pretty much through the web.

However some things bother me with this, they claim that they can take full control of the machine through the webbrowser, how exactly can they do that if the browser is running in userland under an account with user privileges? The way I see it they can only utilize the power given to the account which the browser is running under unless they also have some OS privilege-elevation exploit aswell?

Or are all these browsers being run under administrator privileges (which is pretty stupid)?

Reply Score: 5

RE[3]: Sad to say
by -oblio- on Thu 19th Mar 2009 09:40 UTC in reply to "RE[2]: Sad to say"
-oblio- Member since:
2008-05-27

Windows XP - ~90% market share. Default user account is in the administrator's group. So the browser runs as this user, which is basically an administrator. Therefore ~90% of computer users run their web browsers with administrative privileges (or equivalent).

Reply Score: 4

RE[3]: Sad to say - escalation
by jabbotts on Thu 19th Mar 2009 13:08 UTC in reply to "RE[2]: Sad to say"
jabbotts Member since:
2007-09-06

I hear that osX isn't too hard against privileged escalation. Anyone know if "unapproved" applications will still run simply by changing the identifier text file within the program's directories? (seen as a single object when only viewed through Finder)

It'll be interesting to see the details of the exploits used if/when they become available.

Reply Score: 2

RE[3]: Sad to say
by ciplogic on Thu 19th Mar 2009 15:13 UTC in reply to "RE[2]: Sad to say"
ciplogic Member since:
2006-12-22

Rules of the game was clear: is not about to make user escalation, is about to get user data. And this without anything than a click on a link. Which is pretty shameful. What if I click on OSMEVS.COM and someone read all my home folder? Is not a funny experience!

Reply Score: 5

RE[2]: Sad to say
by kaiwai on Thu 19th Mar 2009 09:51 UTC in reply to "RE: Sad to say"
kaiwai Member since:
2005-07-06

I'm not surprised because they attacked the browser. Lame.

Browsers have to parse a near infinite combination of good and bad HTML, Javascript and many other formats. The browser is the biggest and most potential attack surface a hacker has to play with.

Seriously, cracking browsers is boring -- I wanted to see direct attacks against the OS and *then* see how well it stands up. Remember the Mac Mini that was left open to the net for 48 hours? 500'000 direct attacks, and not one successful.


Whether someone robs your house by getting through the front door or through one of the windows; to claim that it is 'boring' that they got through the window instead of breaking down your super re-enforced door is an attempt to ignore what just happened - you've just been robbed!

Apple has sandbox technology, why isn't Safari running in the sandbox which some of services run in? why doesn't Quicktime operate in the sandbox? again, Apple has the technology but they aren't taking advantage of it.

Reply Score: 4

RE[2]: Sad to say
by Ford Prefect on Thu 19th Mar 2009 13:42 UTC in reply to "RE: Sad to say"
Ford Prefect Member since:
2006-01-16

You know that the browser is probably the application doing most communication to the outside world running on the average desktop?

It makes perfectly sense to go after it. Maybe a browser really is the hardest application to harden. Still it also is the most important one.

Reply Score: 2

RE: Sad to say
by werpu on Thu 19th Mar 2009 09:19 UTC in reply to "Sad to say"
werpu Member since:
2006-01-18

I'm not surprised that it has happened; Apple hasn't seemed to learn a single thing; they introduce garbage collection with Objective-C and yet none of the components of Mac OS X use it, they introduce ASRL and again very few components use it.


You forgot one thing, the components of osx are way older than the GC in objective C they are proven well running code. So why change them just to get a speed hit introduced by GC...
GC does not do a single thing to improve security btw... it makes programs only more stable to some degree by taking over the memory freeing.
The biggest thing to add security is to add strings which have clear boundaries to a language. One of the reasons why C based programs are so inherently insecure are their handling of strings as glorified pointers. Sure there are routines for string copying which prevent the buffer oferflow issues introduced by such data structures, but languages like pascal, modula and others didnt have them in the first place...
GC does not help there either. Dont get me wrong I am a huge fan of GC I use it from day to day base and have been using it for more than a decade, but blaming Apple for not moving old legacy code over to new GC at a time the legacy code is stable and runs will is idiotic!

Reply Score: 3

Comment by Hakime
by Hakime on Thu 19th Mar 2009 08:05 UTC
Hakime
Member since:
2005-11-16

"It will be interesting to see how it was cracked - and hopefully Apple will wake up and do something about the security issues in Safari and Quicktime"

You say that and in the same time IE and Firefox were also compromised. How does your point make any sense here?

" contest by cracking Safari and Mac OS X within seconds of the start of the competition."

BS, his job is to find security holes, he surely spend plenty of time to find this one, saying that he did this in x or y second for sensationalism does not make any sense as he had tested before if the exploit works. The only thing that he needed was someone to click where he wanted it.

"This is the second year in a row that Safari on the Mac is the first to fall in the PWN2OWN contest, again by Miller's hands."

The order is not important here because they all fell in the same stage of the context. Because Miller demonstrated the his exploit first does not make that Safari fell first. You make is it sound that Safari fell first and therefore it is less secure but the fact is that IE or Firefox fell exactly in the same manner, regardless who performed the exploit first.

"So far, only Chrome hasn't been cracked yet, but that probably won't take long"

Humm, the flaw in Safari is probably in webkit, Chrome is probably also affected.

Reply Score: 7

RE: Comment by Hakime
by Thom_Holwerda on Thu 19th Mar 2009 08:24 UTC in reply to "Comment by Hakime"
Thom_Holwerda Member since:
2005-06-29

BS, his job is to find security holes, he surely spend plenty of time to find this one, saying that he did this in x or y second for sensationalism does not make any sense as he had tested before if the exploit works. The only thing that he needed was someone to click where he wanted it.


I said that he had cracked Safari within seconds of the competition. This is 100% fact, and there's nothing sensationalistic about it. It would be sensationalism if I had written something like "Safari Cracked within Seconds, Apple Most Insecure Company EVARR!!!"

But I didn't. This article is simply a lineup of facts. Like it or not. As usual, you are trying to shoot the messenger.

You make is it sound that Safari fell first and therefore it is less secure but the fact is that IE or Firefox fell exactly in the same manner, regardless who performed the exploit first.


Why is it always the messenger shooting with you Apple folk? I didn't say ANYTHING about who is less secure than the other! You are just making stuff up now.

This is a simple listing of facts of how the contest went. That's all. I can't help it that your pet company's browser was the first to fall again. Only with Apple fans can journalists/bloggers be blamed for a possible Cupertino screw up.

Humm, the flaw in Safari is probably in webkit, Chrome is probably also affected.


Doesn't have to be WebKit, but could be.

Edited 2009-03-19 08:32 UTC

Reply Score: 6

RE[2]: Comment by Hakime
by JonathanBThompson on Thu 19th Mar 2009 09:38 UTC in reply to "RE: Comment by Hakime"
JonathanBThompson Member since:
2006-05-26

Thom, your reading comprehension is too low to catch this fact mentioned in the article:

He went out of his way to test the exploit before the contest to make sure it would work every time.


In other words, he did not pwn Safari on the spur of the moment in a few seconds! He went to the contest with a known-good exploit that was well-tested long before he ever walked in the door.

That being said, I'd truly love to know exactly what control over the machine he had as a result of that, as the ZDNet article is rather vague beyond stating that. I'm imagining that unless he got the user to enter their password, it wasn't quite as "total" as stated: if you can't enter the password for certain things, or do something to configure things such that you don't need it, it isn't truly total control over the machine, but it can still at least be very damaging to that user's accounts.

Reply Score: 3

RE[3]: Comment by Hakime
by Thom_Holwerda on Thu 19th Mar 2009 09:45 UTC in reply to "RE[2]: Comment by Hakime"
Thom_Holwerda Member since:
2005-06-29

In other words, he did not pwn Safari on the spur of the moment in a few seconds! He went to the contest with a known-good exploit that was well-tested long before he ever walked in the door.


I know.

Read what I wrote: "cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition."

And that's 100% accurate, exploit in hand or not.

Reply Score: 4

v RE[4]: Comment by Hakime
by majipoor on Thu 19th Mar 2009 10:42 UTC in reply to "RE[3]: Comment by Hakime"
RE[4]: Comment by Hakime
by Soulbender on Thu 19th Mar 2009 11:45 UTC in reply to "RE[3]: Comment by Hakime"
Soulbender Member since:
2005-08-18

Dude, it is obviously deceiving. What it sounds like is that he came unprepared and figured out how to crack Safari in seconds while in fact he had prepared the exploit beforehand.

Reply Score: 4

RE[3]: Comment by Hakime
by Soulbender on Thu 19th Mar 2009 11:40 UTC in reply to "RE[2]: Comment by Hakime"
Soulbender Member since:
2005-08-18

He went out of his way to test the exploit before the contest to make sure it would work every time.


Well, it's quite possible the other guys had also prepared for the browsers they worked on.

That being said, I'd truly love to know exactly what control over the machine he had as a result of that, as the ZDNet article is rather vague beyond stating that.


Yeah, I was also wondering how he got control over the machine from the browser. Running code, sure, but that would still only be under the user account.
Then again, having "root" isn't what most malware is interested in anyway.

but it can still at least be very damaging to that user's accounts.


Aside from not being able to change system files and configurations it can still be quite damaging. You can still run botnets from a user account, for example.

Edited 2009-03-19 11:42 UTC

Reply Score: 5

RE[4]: Comment by Hakime
by sakeniwefu on Thu 19th Mar 2009 15:27 UTC in reply to "RE[3]: Comment by Hakime"
sakeniwefu Member since:
2008-02-26


Well, it's quite possible the other guys had also prepared for the browsers they worked on.


All of them had. The ones that didn't win didn't have any good exploit or had one but a recent patch had fixed it.

Nobody can find and exploit a bug in minutes, or even hours unless the bug is very noobish and can be found easily.

It's not 1983 anymore.

I am sincerely surprised by IE8/Win7 both falling. While IE8 was bound to be broken as any other browser, I thought IE in windows Vista+ ran in sandbox mode, or is that something you have to enable?

Maybe the sandbox isn't sandproof?

Reply Score: 3

RE[5]: Comment by Hakime
by PlatformAgnostic on Thu 19th Mar 2009 20:10 UTC in reply to "RE[4]: Comment by Hakime"
PlatformAgnostic Member since:
2006-01-02

It depends on the contest requirements. The IE Protected Mode allows reads (but not writes).

Reply Score: 2

RE[3]: Comment by Hakime
by Michael on Thu 19th Mar 2009 14:36 UTC in reply to "RE[2]: Comment by Hakime"
Michael Member since:
2005-07-01

He went to the contest with a known-good exploit that was well-tested long before he ever walked in the door.

As is stated in the first sentence of the summary. This story has been covered here before so I guess Thom's just assuming we're all familiar with the facts (and it sounds like we are).

I think this competition is more about encouraging white hat hacking than exposing security flaws. So no point bickering about the results - they only prove that Charlie Miller knows his stuff.

Reply Score: 4

Linux?
by Moredhas on Thu 19th Mar 2009 08:35 UTC
Moredhas
Member since:
2008-04-10

Was there no Linux machine in the contest this year? Last year it went uncracked, didn't it? I'd really love to see someone crack a Linux machine in a contest like this, because well publicised exploits can only make it stronger. My money is on Adobe being responsible for the exploit that gives us Linux users our first real malware scare.

Reply Score: 1

RE: Linux?
by eantoranz on Thu 19th Mar 2009 13:34 UTC in reply to "Linux?"
eantoranz Member since:
2005-12-18

I was wondering just that. Why is there no GNU/Linux box this year? Could it be that it's too secure to even show up? I know it's not because of that, so don't mod me down as it's just a joke.

Reply Score: 3

Money
by henrikmk on Thu 19th Mar 2009 08:43 UTC
henrikmk
Member since:
2005-07-10

http://www.appleinsider.com/articles/09/03/19/mac_security_research...

From the article above:

That fact highlights that, in reality, the platforms and browsers involved aren't targeted by a series of equal attacks. Instead, researchers arrive with exploits they hope to use against vulnerabilities they are aware of in specific platforms or browsers, but have not yet reported. Were they to report the exploits in advance, they would be patched by the vendor. There's no money in that, so the contest provides an incentive to report vulnerabilities.

If it's all so money motivated, perhaps Apple should simply pay Charlie Miller $500 every time he finds a valid security hole in an Apple application. Since he seems to be so good at it, they should take advantage of it. That would be cheaper for them than having headlines like this, which is likely to cost them a few Mac purchases (but not that many).

Edited 2009-03-19 08:44 UTC

Reply Score: 6

RE: Money
by Thom_Holwerda on Thu 19th Mar 2009 08:47 UTC in reply to "Money"
Thom_Holwerda Member since:
2005-06-29

Definitely true. Which is why Microsoft is actively seeking out people like Miller and paying/employing them to do just that,and it's also why they actually had people present during the contest. That's what we call an active security policy.

But let's face it, Microsoft needed such a policy. Vista and 7 are doing much better now, though. Apple has had no reason to do this, and this exploit probably doesn't really change anything about that. This exploit might be fun and all, but it doesn't really change the fact that Mac OS X is still pretty secure.

Then again, so are Linux, Vista, and 7. Security is no longer really a reason to specifically pick either of those (well, unless Microsoft stays in retard mode and doesn't fix the broken UAC in Windows 7).

Edited 2009-03-19 08:49 UTC

Reply Score: 3

RE[2]: Money
by kragil on Thu 19th Mar 2009 09:50 UTC in reply to "RE: Money"
kragil Member since:
2006-01-04

I call BS.

I attended the chaos communication congress in berlin a few times and talked to people who exploit systems for a living and they say if you want to be really safe you have to use a system with little marketshare and with great security.

That is why in the real world you are way way more secure running a Linux distro with SELinux enabled throughout (like Fedora) or AppArmor, Smack etc. Or maybe even better OpenBSD (similar security, even less marketshare)

Edited 2009-03-19 09:51 UTC

Reply Score: 1

RE[3]: Money
by sakeniwefu on Thu 19th Mar 2009 15:52 UTC in reply to "RE[2]: Money"
sakeniwefu Member since:
2008-02-26


That is why in the real world you are way way more secure running a Linux distro with SELinux enabled throughout (like Fedora) or AppArmor, Smack etc. Or maybe even better OpenBSD (similar security, even less marketshare)


That is true(only marketshare has nothing to do with it as long as you don't use windows), but most people get carried away by benchmarks. OpenBSD won't ever compare favorably to Windows or vanilla Linux in benchmarks. And people want their games and browsers and videos at 3000 fps.

If you want your OS to be used, you cannot start putting canaries in your stack, making allocations with byte granularity and randomizing the positions of everything.

Linux has gotten a bit better lately, and there is SELinux(ahem), but I don't see a default Ubuntu installation ever including half of it.

As long as you can more or less follow an introduction to Hacking tutorial with your OS it means it is insecure as hell and you are just lucky of not having been targeted yet.

Reply Score: 2

RE[2]: Money
by paws on Thu 19th Mar 2009 15:54 UTC in reply to "RE: Money"
paws Member since:
2007-05-28

Once more for the hard of hearing: Safari was taken down, yes, but not in seconds. The guy spent hours, days, weeks, maybe months looking for this whole, then even more time writing code that performed the exploit. Then he ran, and that apparently only took seconds. Big f--king deal.

My personal web site generation framework has I don't know how many hundreds of hours of work put in it, but it spits out pages in usually somewhere between ten and twenty miliseconds. That says nothing about the effort involved (well, it does, in that it did take a bit of optimisation to get it to run faster).

That Firefox and IE took longer to fall just means that the people who went after them weren't as well prepared, or possibly less talented than whatshisface here. Noone shows up to this kind of thing and then start looking for exploits.

ERGO: the non-sensationalist headline for this story would be something like "BROWSERS STILL SUCK AT THE SECURITIES".

End message.

Reply Score: 5

RE[3]: Money
by macUser on Thu 19th Mar 2009 16:15 UTC in reply to "RE[2]: Money"
macUser Member since:
2006-12-15

Once more for the hard of hearing: Safari was taken down, yes, but not in seconds. The guy spent hours, days, weeks, maybe months looking for this whole, then even more time writing code that performed the exploit. Then he ran, and that apparently only took seconds. Big f--king deal.

My personal web site generation framework has I don't know how many hundreds of hours of work put in it, but it spits out pages in usually somewhere between ten and twenty miliseconds. That says nothing about the effort involved (well, it does, in that it did take a bit of optimisation to get it to run faster).

That Firefox and IE took longer to fall just means that the people who went after them weren't as well prepared, or possibly less talented than whatshisface here. Noone shows up to this kind of thing and then start looking for exploits.

ERGO: the non-sensationalist headline for this story would be something like "BROWSERS STILL SUCK AT THE SECURITIES".

End message.


I'd mod you up, but I already responded. Couldn't have said it better!

Reply Score: 1

RE[3]: Money
by macUser on Thu 19th Mar 2009 16:16 UTC in reply to "RE[2]: Money"
macUser Member since:
2006-12-15

dupe post

Edited 2009-03-19 16:17 UTC

Reply Score: 1

RE[3]: Money
by tupp on Thu 19th Mar 2009 19:18 UTC in reply to "RE[2]: Money"
tupp Member since:
2006-11-12

That Firefox and IE took longer to fall just means that the people who went after them weren't as well prepared, or possibly less talented than whatshisface here.

Or, more likely, it means that Safari is easier to crack, even though the Firefox an IE crackers prepared just as much as "whatshisface."


Noone shows up to this kind of thing and then start looking for exploits.

Of course.

All of the crackers prepared in advance, and Safari was the easiest and quickest to crack.

So, the headline should read: "SAFARI ONCE AGAIN SHOWN TO BE THE EASIEST TO CRACK, IN SPITE OF APPLE FANBOYS' ATTEMPTS TO SPIN OTHERWISE."

End of story.

Reply Score: 4

RE[4]: Money
by paws on Thu 19th Mar 2009 19:28 UTC in reply to "RE[3]: Money"
paws Member since:
2007-05-28

Err. There is logically no way the time it takes to EXECUTE a preprepared exploit is in no way related to how easy it is to FIND one. QED, you're wrong.

(Also, I'm a full-time Ubuntu user. The only Macs I have around all run MacOS < 9. Or Linux.)

Edited 2009-03-19 19:31 UTC

Reply Score: 1

RE[3]: Money
by segedunum on Sun 22nd Mar 2009 00:43 UTC in reply to "RE[2]: Money"
segedunum Member since:
2005-07-06

Once more for the hard of hearing: Safari was taken down, yes, but not in seconds.

Yes it was because it took very little time for exploit to actually do its job.

The guy spent hours, days, weeks, maybe months looking for this whole, then even more time writing code that performed the exploit. Then he ran, and that apparently only took seconds. Big f--king deal.

The Apple fanboys are so funny.

Yes, he did come with a pre-prepared exploit in his pocket. However, he and others did exactly the same to other operating systems and browsers and found nothing, and if they did it was very, very little. He knew he was going to be able to exploit OS X and Safari regardless of how much time he spent on it.

Yer. It really isn't a big deal at all.

Edited 2009-03-22 00:48 UTC

Reply Score: 2

Which version?
by darknexus on Thu 19th Mar 2009 08:50 UTC
darknexus
Member since:
2008-07-15

Anyone know which version of Safari he cracked? Was it 3.2.1 or the 4 beta?

Reply Score: 2

RE: Which version?
by steviant on Thu 19th Mar 2009 12:13 UTC in reply to "Which version?"
steviant Member since:
2006-01-11

Anyone know which version of Safari he cracked? Was it 3.2.1 or the 4 beta?


They used Safari 4 running on an up-to-date version of Leopard, versus the latest Windows 7 and IE8, so it's possible that whatever bug was exploited is fixed in 10.6 or the latest WebKit nightlies, but I'd be very surprised. On the face of things it seems like a pretty fair competition.

From canwestsec.com:

On the browser side, we will be running the latest bleeding edge version of each browser platform we can get our hands on (Yes that means the Safari 4 beta, the latest build of IE8 we can get our hands on, and the upcoming FireFox release) on each of the two prize laptops (for the corresponding multi-os browsers).

Reply Score: 1

RE[2]: Which version?
by polaris20 on Thu 19th Mar 2009 15:44 UTC in reply to "RE: Which version?"
polaris20 Member since:
2005-07-06

"Anyone know which version of Safari he cracked? Was it 3.2.1 or the 4 beta?


They used Safari 4 running on an up-to-date version of Leopard, versus the latest Windows 7 and IE8, so it's possible that whatever bug was exploited is fixed in 10.6 or the latest WebKit nightlies, but I'd be very surprised. On the face of things it seems like a pretty fair competition.

From canwestsec.com:

On the browser side, we will be running the latest bleeding edge version of each browser platform we can get our hands on (Yes that means the Safari 4 beta, the latest build of IE8 we can get our hands on, and the upcoming FireFox release) on each of the two prize laptops (for the corresponding multi-os browsers).
"

So a beta browser on OS X is cracked, and a beta browser on a beta operating system is cracked (Win7).

Does anyone know if these exploits are also in the production versions of the browsers/OS's in question? Because otherwise this feat of cracking a beta product is somewhat diminished.

I for one don't run beta browsers or OS's on anything other than test machines or VM's, never in a production environment where security is a concern.

Reply Score: 3

RE[3]: Which version?
by steviant on Sat 21st Mar 2009 04:57 UTC in reply to "RE[2]: Which version?"
steviant Member since:
2006-01-11

In an interview with ZDnet, Charlie Miller has stated that his exploit also works on Safari 3, and that it was one option he could have used to win last year's competition.

Perhaps more interestingly he also claims that Mac OS X's lack of support for No eXecute memory and address space randomization makes it much easier to exploit OS X than Windows once a bug has been identified.

Reply Score: 1

of course it only took seconds !
by Yagami on Thu 19th Mar 2009 09:44 UTC
Yagami
Member since:
2006-07-15

that is why we spend money on dual cores and millions of GHZ and RAM!

and firefox and ie being cracked later, just shows that they are bloated and slow !!! i mean , what is this ? spectrum zx ? should i have to wait 3-5 minutes for the crack to load ? can i press the space bar ?

i am confident that my linux box can be cracked in less than one second !!! its just super fast , very stable, everything is working really good.

Reply Score: 1

Apple code NOT cracked - WebKit
by lqsh on Thu 19th Mar 2009 13:01 UTC
lqsh
Member since:
2007-01-01

"It wasn't Apple's proprietary code in Safari that was cracked."


http://www.appleinsider.com/articles/09/03/19/mac_security_research...

Reply Score: 0

Thom_Holwerda Member since:
2005-06-29

That quote refers to LAST YEAR.

Reply Score: 0

lqsh Member since:
2007-01-01

my bad

although, we'll see if it's WebKit this year as well

Edited 2009-03-19 13:17 UTC

Reply Score: 2

PlatformAgnostic Member since:
2006-01-02

WebKit is Apple's rendering engine. They contribute the most to it and by shipping it they are fully responsible for whatever bugs it contains (if a company adopts Open Source, it doesn't make them less culpable for the bugs in it).

Reply Score: 3

segedunum Member since:
2005-07-06

"It wasn't Apple's proprietary code in Safari that was cracked."

That's just a sad deluded excuse and also last year's method. There is a core to WebKit certainly, but the way it works in Safari has seen it extended with Apple's own code and APIs and the way it is implemented on OS X. Then there is the whole DashBoard implementation which is a whole other level and another can of worms.

If it really was WebKit then we would have seen WebKit browsers on Windows, such as Chrome or even Safari, or Chrome on Linux being easy targets. We haven't. As Miller said in TFA:

He makes a clear distinction between the browser and the underlying operating system, stating that for example while Firefox on Windows is very hard to crack, Firefox on Mac OS X is easy, because Mac OS X lacks all the anti-exploit features Windows has built-in. "The things that Windows do to make it harder [for an exploit to work], Macs don't do," Miller says, "Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows."


Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.


Chrome is a WebKit using browser:

There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. The’ve got that sandbox model that’s hard to get out of.


Edited 2009-03-20 22:00 UTC

Reply Score: 2

Like shooting fish in a barrel.
by jessta on Thu 19th Mar 2009 14:09 UTC
jessta
Member since:
2005-08-17

Like shooting fish in a barrel.
We know all the browsers have exploits, because they are massive and ridiculously complicated code bases.

We also know they are really buggy, due to the same reason. Which continues to beg the question, why do we keep building additional massive applications on top of this platform? All for the single advantage of 'easy' deployment.

Reply Score: 3

Come on guys
by Boomshiki on Thu 19th Mar 2009 15:53 UTC
Boomshiki
Member since:
2008-06-11

Of course these guys had a practiced exploit in hand. That is what the competition is.

It's like saying that Joe Football player deceived everyone because he practiced catching a football long before the game.

Let's all quit bitching and finding reason's why this isn't Apple's fault. We are not proving that a hacker can buy a mac and on his first day take over your computer in a couple seconds, it proves that if he owns a mac, and has studied it, he could proceed to take over your computer in a matter of seconds. You can argue about how you have to click his link, and how OSX users are far too smart for that, but just stop it. Take the news, brood over it if you have to, but in the end, just f--k off about it.

Reply Score: 5

taking over via the browser is good enough
by JoeBuck on Thu 19th Mar 2009 19:02 UTC
JoeBuck
Member since:
2006-01-11

If a cracker can get in via the browser and can then operate after that with the full privileges of the user, that's good enough for all practical purposes on a machine that basically has one user. Ordinary user permissions suffice to send spam or to participate in a botnet. Whining that an attack by means of the browser is somehow less serious is misguided.

Reply Score: 4

Frustrating
by Evan on Thu 19th Mar 2009 21:06 UTC
Evan
Member since:
2006-01-18

It really strikes me as odd that by 2009 we still have links that can render computers completely in the control of a black hat an his botnet.

Is there something fundamental about rendering html and javascript, or is it just that browsers are an easier vector to attack since your user will be requesting data as opposed to a hacker actively port scanning and abusing poorly firewalled systems?

I'd really like to be enlightened on this further as this is far too frustrating.

Reading about man in the middle attacks and online banking sites that don't update their certificates, to something like this basically makes me fear using the internet more than ever for anything beyond pretending to be someone I'm not and flaming people on forums.

Blah.

Reply Score: 2

Guess I will switch to windows...
by kaelodest on Thu 19th Mar 2009 22:42 UTC
kaelodest
Member since:
2006-02-12

... Uh yeah like right now...

I wish I was being snarky but I want to brush up on some AD and test i.e. 8...

I believe that This exploit only worked because he had changed some settings in the OS then had physical access to the unit. -=- But it sells banner space.

Reply Score: 0

mightshade Member since:
2008-11-20

I believe that This exploit only worked because he had changed some settings in the OS then had physical access to the unit.

He didn't. The contest rules don't allow that. Actually, the article says that a machine operator (NOT the hacker) clicked on a weblink and Miller had remote access right away. Did you read that at all?

Reply Score: 2

Well
by Bounty on Thu 19th Mar 2009 22:45 UTC
Bounty
Member since:
2006-09-18

Not every exploit is reliable. Sometimes you have checked your exploit very carefully, and they have something ever so slightly different. Some exploits are very reliable or simple and take no work or jiggling of the handle (like IIS Unicode/Code Red.) It just worked. The fact that he walked in and threw down on Safari, means it is probably a reliable exploit.

I don't know how long it took for the other exploits, it may be telling if we find out. I'm guessing it wasn't 10 seconds for the others. If it was, the headline would be everything pwned in 30 seconds! The IE/Windows 7 exploit was described as brilliant I think, which may mean it was not easy, or quick to execute. It may have taken several delicate steps to get access.

Reply Score: 1

skingers6894
Member since:
2005-08-10

Headlines that bleat "hacked in seconds" from sites purporting to be somewhat expert in operating systems is a bit disingenuous. The vulnerability was found and an exploit prepared and practiced well ahead of the contest. With the canned exploit at the ready the time to hack will always be pretty damn fast, computers tend to be pretty fast.

Is it news that the security consultant found an exploit in source code openly available and kept it to himself in order to win laptop and personal glory? Maybe. Is it news that an exploit once written and practiced would execute in seconds on modern computer hardware? Not really.

Reply Score: 3

Another disingenuous title...come on Thom!
by Smeagol on Fri 20th Mar 2009 14:25 UTC
Smeagol
Member since:
2006-01-16

Hacked in seconds? Please. As if Miller had no idea he was going to be attending a few months/years in advance?

Nice sensationalism. Bravo!

Reply Score: 1