Linked by Thom Holwerda on Thu 19th Mar 2009 06:44 UTC, submitted by Moulinneuf
Privacy, Security, Encryption As he had already predicted, cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition. "It took a couple of seconds. They clicked on the link and I took control of the machine," Miller said after his accomplishment. He took home the USD 10000 prize, as well as the MacBook he performed the exploit on. Internet Explorer 8 fell a while later by cracker Nils, who also cracked Safari and Firefox after being done with IE8.
Thread beginning with comment 353837
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Sad to say
by Kroc on Thu 19th Mar 2009 07:36 UTC in reply to "Sad to say"
Kroc
Member since:
2005-11-10

I'm not surprised because they attacked the browser. Lame.

Browsers have to parse a near infinite combination of good and bad HTML, Javascript and many other formats. The browser is the biggest and most potential attack surface a hacker has to play with.

Seriously, cracking browsers is boring -- I wanted to see direct attacks against the OS and *then* see how well it stands up. Remember the Mac Mini that was left open to the net for 48 hours? 500'000 direct attacks, and not one successful.

Reply Parent Score: 3

RE[2]: Sad to say
by Thom_Holwerda on Thu 19th Mar 2009 07:42 in reply to "RE: Sad to say"
Thom_Holwerda Member since:
2005-06-29

Weakest link in the chain, Kroc.

Reply Parent Score: 8

RE[3]: Sad to say
by Kroc on Thu 19th Mar 2009 08:08 in reply to "RE[2]: Sad to say"
Kroc Member since:
2005-11-10

A self-propagating Mac virus is not going to be very successful unless it can spread via other means than just the browser. It may enter via the browser, but going machine to machine is going to need to be more clever than that.

The patch for this flaw will be released, and this whole thing would have been nothing but one big ego-trip for the hacker, with no profound meaning.

Are we to expect to shower the grey-hats and white-hats with attention and prizes for every browser bug they find? No, finding and reporting browser bugs should be humble work, and many hackers are humble enough to do it this way, letting the vendor know early and giving them time to resolve the issue.

This competition is just to sensationalise and rile up the haters and the ignorant over a matter that should be handled much better.

-- PS. Both Webkit and Gecko are open source engines, if the guy weren't a pr!ck, then he would have filed the bugs and provided patches. This competition just waves money in front of hackers faces and says "Hey, don't contribute to the safety of everybody online, when you can have all this money, and your name splashed across the news for days!".

This is disrespectful to the end user, the person who we tend to forget, is the most important person in front of the computer.

Edited 2009-03-19 08:14 UTC

Reply Parent Score: 4

RE[2]: Sad to say
by darknexus on Thu 19th Mar 2009 07:42 in reply to "RE: Sad to say"
darknexus Member since:
2008-07-15

The browser is also one of the most likely targets for an exploit, precisely because it's often so vulnerable and because it is one of the most used components of the operating system. No matter how boring it is, it's still significant, and full os security isn't worth jack if the browser is insecure.

Reply Parent Score: 13

RE[2]: Sad to say
by Soulbender on Thu 19th Mar 2009 07:48 in reply to "RE: Sad to say"
Soulbender Member since:
2005-08-18

I wanted to see direct attacks against the OS and *then* see how well it stands up.


Who cares when you can take *control of the machine* via the browser?

Reply Parent Score: 12

RE[3]: Sad to say
by macUser on Thu 19th Mar 2009 16:13 in reply to "RE[2]: Sad to say"
macUser Member since:
2006-12-15

I'd be curious to see what the system setup was as I didn't see that in the original article.

Was this user an admin user or a non-privileged user? Does that matter for the exploit (guess we'll find out when the patch is deployed)

Being the first to fall really doesn't mean much to me, all it means is that someone with a working exploit went to that machine first, vs the other machines. I see Safari, IE and Firefox all went down today...

Reply Parent Score: 1

RE[2]: Sad to say
by Karitku on Thu 19th Mar 2009 07:49 in reply to "RE: Sad to say"
Karitku Member since:
2006-01-12

Pretty poor excuse giving fact that browser is most used program in any computer and major reason why so many people use computers in home.

Reply Parent Score: 8

RE[2]: Sad to say
by Valhalla on Thu 19th Mar 2009 08:00 in reply to "RE: Sad to say"
Valhalla Member since:
2006-01-24

In order to remotely attack a machine you need a way to deploy that attack. These days most operating systems (even windows) have realized that keeping alot of default ports open (listening) is stupid. So the best way to deploy your attack is pretty much through the web.

However some things bother me with this, they claim that they can take full control of the machine through the webbrowser, how exactly can they do that if the browser is running in userland under an account with user privileges? The way I see it they can only utilize the power given to the account which the browser is running under unless they also have some OS privilege-elevation exploit aswell?

Or are all these browsers being run under administrator privileges (which is pretty stupid)?

Reply Parent Score: 5

RE[3]: Sad to say
by -oblio- on Thu 19th Mar 2009 09:40 in reply to "RE[2]: Sad to say"
-oblio- Member since:
2008-05-27

Windows XP - ~90% market share. Default user account is in the administrator's group. So the browser runs as this user, which is basically an administrator. Therefore ~90% of computer users run their web browsers with administrative privileges (or equivalent).

Reply Parent Score: 4

RE[3]: Sad to say - escalation
by jabbotts on Thu 19th Mar 2009 13:08 in reply to "RE[2]: Sad to say"
jabbotts Member since:
2007-09-06

I hear that osX isn't too hard against privileged escalation. Anyone know if "unapproved" applications will still run simply by changing the identifier text file within the program's directories? (seen as a single object when only viewed through Finder)

It'll be interesting to see the details of the exploits used if/when they become available.

Reply Parent Score: 2

RE[3]: Sad to say
by ciplogic on Thu 19th Mar 2009 15:13 in reply to "RE[2]: Sad to say"
ciplogic Member since:
2006-12-22

Rules of the game was clear: is not about to make user escalation, is about to get user data. And this without anything than a click on a link. Which is pretty shameful. What if I click on OSMEVS.COM and someone read all my home folder? Is not a funny experience!

Reply Parent Score: 5

RE[2]: Sad to say
by kaiwai on Thu 19th Mar 2009 09:51 in reply to "RE: Sad to say"
kaiwai Member since:
2005-07-06

I'm not surprised because they attacked the browser. Lame.

Browsers have to parse a near infinite combination of good and bad HTML, Javascript and many other formats. The browser is the biggest and most potential attack surface a hacker has to play with.

Seriously, cracking browsers is boring -- I wanted to see direct attacks against the OS and *then* see how well it stands up. Remember the Mac Mini that was left open to the net for 48 hours? 500'000 direct attacks, and not one successful.


Whether someone robs your house by getting through the front door or through one of the windows; to claim that it is 'boring' that they got through the window instead of breaking down your super re-enforced door is an attempt to ignore what just happened - you've just been robbed!

Apple has sandbox technology, why isn't Safari running in the sandbox which some of services run in? why doesn't Quicktime operate in the sandbox? again, Apple has the technology but they aren't taking advantage of it.

Reply Parent Score: 4

RE[2]: Sad to say
by Ford Prefect on Thu 19th Mar 2009 13:42 in reply to "RE: Sad to say"
Ford Prefect Member since:
2006-01-16

You know that the browser is probably the application doing most communication to the outside world running on the average desktop?

It makes perfectly sense to go after it. Maybe a browser really is the hardest application to harden. Still it also is the most important one.

Reply Parent Score: 2