Linked by Thom Holwerda on Thu 19th Mar 2009 06:44 UTC, submitted by Moulinneuf
Privacy, Security, Encryption As he had already predicted, cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition. "It took a couple of seconds. They clicked on the link and I took control of the machine," Miller said after his accomplishment. He took home the USD 10000 prize, as well as the MacBook he performed the exploit on. Internet Explorer 8 fell a while later by cracker Nils, who also cracked Safari and Firefox after being done with IE8.
Thread beginning with comment 353833
To read all comments associated with this story, please click here.
Sad to say
by kaiwai on Thu 19th Mar 2009 07:10 UTC
kaiwai
Member since:
2005-07-06

I'm not surprised that it has happened; Apple hasn't seemed to learn a single thing; they introduce garbage collection with Objective-C and yet none of the components of Mac OS X use it, they introduce ASRL and again very few components use it.

It will be interesting to see how it was cracked - and hopefully Apple will wake up and do something about the security issues in Safari and Quicktime (which is another one which has had numerous security alerts).

Reply Score: 8

RE: Sad to say
by evangs on Thu 19th Mar 2009 07:29 in reply to "Sad to say"
evangs Member since:
2005-07-07

I think it'll be quite a few years before we see Objective-C 2.0 adopted throughout all of Apple's software. I mean, look at .NET and how prevalent it is in Microsoft's offerings. A decade after it's been introduced, the majority of their software is still Win32.

I hope Apple will spend considerably more effort in pushing Objective-C 2.0 adoption.

Reply Parent Score: 6

RE[2]: Sad to say
by Alexco on Thu 19th Mar 2009 08:15 in reply to "RE: Sad to say"
Alexco Member since:
2006-05-25

Garbage collection alone does not increase security. And Objectve-C 2.0 runs only on Leo, but Safari has to work on 10.4, too.

Reply Parent Score: 2

RE[2]: Sad to say
by werpu on Thu 19th Mar 2009 09:22 in reply to "RE: Sad to say"
werpu Member since:
2006-01-18

I think it'll be quite a few years before we see Objective-C 2.0 adopted throughout all of Apple's software. I mean, look at .NET and how prevalent it is in Microsoft's offerings. A decade after it's been introduced, the majority of their software is still Win32.

I hope Apple will spend considerably more effort in pushing Objective-C 2.0 adoption.

Well The issue with .Net is it is vm based, I have been using VM based languages for a long time now, and I would not see any reason to move vital parts of an os infrastructure towards a VM especially if it works well. (except for portability reasons) you will get a huge speed hit and memory consumption goes through the roof. It might be interesting for new applications but moving legacy code over is sort of a no go.
Same goes for apple although introducing GC only has minor impacts on mem consumption and speed, there is simply no reason to do it! Newer code can be programmed against it older code probably which never will be touched again except for bugfixing once in a while does not make sense to be ported over!

Reply Parent Score: -1

RE: Sad to say
by Kroc on Thu 19th Mar 2009 07:36 in reply to "Sad to say"
Kroc Member since:
2005-11-10

I'm not surprised because they attacked the browser. Lame.

Browsers have to parse a near infinite combination of good and bad HTML, Javascript and many other formats. The browser is the biggest and most potential attack surface a hacker has to play with.

Seriously, cracking browsers is boring -- I wanted to see direct attacks against the OS and *then* see how well it stands up. Remember the Mac Mini that was left open to the net for 48 hours? 500'000 direct attacks, and not one successful.

Reply Parent Score: 3

RE[2]: Sad to say
by Thom_Holwerda on Thu 19th Mar 2009 07:42 in reply to "RE: Sad to say"
Thom_Holwerda Member since:
2005-06-29

Weakest link in the chain, Kroc.

Reply Parent Score: 8

RE[2]: Sad to say
by darknexus on Thu 19th Mar 2009 07:42 in reply to "RE: Sad to say"
darknexus Member since:
2008-07-15

The browser is also one of the most likely targets for an exploit, precisely because it's often so vulnerable and because it is one of the most used components of the operating system. No matter how boring it is, it's still significant, and full os security isn't worth jack if the browser is insecure.

Reply Parent Score: 13

RE[2]: Sad to say
by Soulbender on Thu 19th Mar 2009 07:48 in reply to "RE: Sad to say"
Soulbender Member since:
2005-08-18

I wanted to see direct attacks against the OS and *then* see how well it stands up.


Who cares when you can take *control of the machine* via the browser?

Reply Parent Score: 12

RE[2]: Sad to say
by Karitku on Thu 19th Mar 2009 07:49 in reply to "RE: Sad to say"
Karitku Member since:
2006-01-12

Pretty poor excuse giving fact that browser is most used program in any computer and major reason why so many people use computers in home.

Reply Parent Score: 8

RE[2]: Sad to say
by Valhalla on Thu 19th Mar 2009 08:00 in reply to "RE: Sad to say"
Valhalla Member since:
2006-01-24

In order to remotely attack a machine you need a way to deploy that attack. These days most operating systems (even windows) have realized that keeping alot of default ports open (listening) is stupid. So the best way to deploy your attack is pretty much through the web.

However some things bother me with this, they claim that they can take full control of the machine through the webbrowser, how exactly can they do that if the browser is running in userland under an account with user privileges? The way I see it they can only utilize the power given to the account which the browser is running under unless they also have some OS privilege-elevation exploit aswell?

Or are all these browsers being run under administrator privileges (which is pretty stupid)?

Reply Parent Score: 5

RE[2]: Sad to say
by kaiwai on Thu 19th Mar 2009 09:51 in reply to "RE: Sad to say"
kaiwai Member since:
2005-07-06

I'm not surprised because they attacked the browser. Lame.

Browsers have to parse a near infinite combination of good and bad HTML, Javascript and many other formats. The browser is the biggest and most potential attack surface a hacker has to play with.

Seriously, cracking browsers is boring -- I wanted to see direct attacks against the OS and *then* see how well it stands up. Remember the Mac Mini that was left open to the net for 48 hours? 500'000 direct attacks, and not one successful.


Whether someone robs your house by getting through the front door or through one of the windows; to claim that it is 'boring' that they got through the window instead of breaking down your super re-enforced door is an attempt to ignore what just happened - you've just been robbed!

Apple has sandbox technology, why isn't Safari running in the sandbox which some of services run in? why doesn't Quicktime operate in the sandbox? again, Apple has the technology but they aren't taking advantage of it.

Reply Parent Score: 4

RE[2]: Sad to say
by Ford Prefect on Thu 19th Mar 2009 13:42 in reply to "RE: Sad to say"
Ford Prefect Member since:
2006-01-16

You know that the browser is probably the application doing most communication to the outside world running on the average desktop?

It makes perfectly sense to go after it. Maybe a browser really is the hardest application to harden. Still it also is the most important one.

Reply Parent Score: 2

RE: Sad to say
by werpu on Thu 19th Mar 2009 09:19 in reply to "Sad to say"
werpu Member since:
2006-01-18

I'm not surprised that it has happened; Apple hasn't seemed to learn a single thing; they introduce garbage collection with Objective-C and yet none of the components of Mac OS X use it, they introduce ASRL and again very few components use it.


You forgot one thing, the components of osx are way older than the GC in objective C they are proven well running code. So why change them just to get a speed hit introduced by GC...
GC does not do a single thing to improve security btw... it makes programs only more stable to some degree by taking over the memory freeing.
The biggest thing to add security is to add strings which have clear boundaries to a language. One of the reasons why C based programs are so inherently insecure are their handling of strings as glorified pointers. Sure there are routines for string copying which prevent the buffer oferflow issues introduced by such data structures, but languages like pascal, modula and others didnt have them in the first place...
GC does not help there either. Dont get me wrong I am a huge fan of GC I use it from day to day base and have been using it for more than a decade, but blaming Apple for not moving old legacy code over to new GC at a time the legacy code is stable and runs will is idiotic!

Reply Parent Score: 3