Linked by Thom Holwerda on Thu 19th Mar 2009 06:44 UTC, submitted by Moulinneuf
Privacy, Security, Encryption As he had already predicted, cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition. "It took a couple of seconds. They clicked on the link and I took control of the machine," Miller said after his accomplishment. He took home the USD 10000 prize, as well as the MacBook he performed the exploit on. Internet Explorer 8 fell a while later by cracker Nils, who also cracked Safari and Firefox after being done with IE8.
Thread beginning with comment 353845
To read all comments associated with this story, please click here.
Comment by Hakime
by Hakime on Thu 19th Mar 2009 08:05 UTC
Hakime
Member since:
2005-11-16

"It will be interesting to see how it was cracked - and hopefully Apple will wake up and do something about the security issues in Safari and Quicktime"

You say that and in the same time IE and Firefox were also compromised. How does your point make any sense here?

" contest by cracking Safari and Mac OS X within seconds of the start of the competition."

BS, his job is to find security holes, he surely spend plenty of time to find this one, saying that he did this in x or y second for sensationalism does not make any sense as he had tested before if the exploit works. The only thing that he needed was someone to click where he wanted it.

"This is the second year in a row that Safari on the Mac is the first to fall in the PWN2OWN contest, again by Miller's hands."

The order is not important here because they all fell in the same stage of the context. Because Miller demonstrated the his exploit first does not make that Safari fell first. You make is it sound that Safari fell first and therefore it is less secure but the fact is that IE or Firefox fell exactly in the same manner, regardless who performed the exploit first.

"So far, only Chrome hasn't been cracked yet, but that probably won't take long"

Humm, the flaw in Safari is probably in webkit, Chrome is probably also affected.

Reply Score: 7

RE: Comment by Hakime
by Thom_Holwerda on Thu 19th Mar 2009 08:24 in reply to "Comment by Hakime"
Thom_Holwerda Member since:
2005-06-29

BS, his job is to find security holes, he surely spend plenty of time to find this one, saying that he did this in x or y second for sensationalism does not make any sense as he had tested before if the exploit works. The only thing that he needed was someone to click where he wanted it.


I said that he had cracked Safari within seconds of the competition. This is 100% fact, and there's nothing sensationalistic about it. It would be sensationalism if I had written something like "Safari Cracked within Seconds, Apple Most Insecure Company EVARR!!!"

But I didn't. This article is simply a lineup of facts. Like it or not. As usual, you are trying to shoot the messenger.

You make is it sound that Safari fell first and therefore it is less secure but the fact is that IE or Firefox fell exactly in the same manner, regardless who performed the exploit first.


Why is it always the messenger shooting with you Apple folk? I didn't say ANYTHING about who is less secure than the other! You are just making stuff up now.

This is a simple listing of facts of how the contest went. That's all. I can't help it that your pet company's browser was the first to fall again. Only with Apple fans can journalists/bloggers be blamed for a possible Cupertino screw up.

Humm, the flaw in Safari is probably in webkit, Chrome is probably also affected.


Doesn't have to be WebKit, but could be.

Edited 2009-03-19 08:32 UTC

Reply Parent Score: 6

RE[2]: Comment by Hakime
by JonathanBThompson on Thu 19th Mar 2009 09:38 in reply to "RE: Comment by Hakime"
JonathanBThompson Member since:
2006-05-26

Thom, your reading comprehension is too low to catch this fact mentioned in the article:

He went out of his way to test the exploit before the contest to make sure it would work every time.


In other words, he did not pwn Safari on the spur of the moment in a few seconds! He went to the contest with a known-good exploit that was well-tested long before he ever walked in the door.

That being said, I'd truly love to know exactly what control over the machine he had as a result of that, as the ZDNet article is rather vague beyond stating that. I'm imagining that unless he got the user to enter their password, it wasn't quite as "total" as stated: if you can't enter the password for certain things, or do something to configure things such that you don't need it, it isn't truly total control over the machine, but it can still at least be very damaging to that user's accounts.

Reply Parent Score: 3