Linked by Thom Holwerda on Thu 19th Mar 2009 06:44 UTC, submitted by Moulinneuf
Privacy, Security, Encryption As he had already predicted, cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition. "It took a couple of seconds. They clicked on the link and I took control of the machine," Miller said after his accomplishment. He took home the USD 10000 prize, as well as the MacBook he performed the exploit on. Internet Explorer 8 fell a while later by cracker Nils, who also cracked Safari and Firefox after being done with IE8.
Thread beginning with comment 353854
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Comment by Hakime
by Thom_Holwerda on Thu 19th Mar 2009 08:24 UTC in reply to "Comment by Hakime"
Thom_Holwerda
Member since:
2005-06-29

BS, his job is to find security holes, he surely spend plenty of time to find this one, saying that he did this in x or y second for sensationalism does not make any sense as he had tested before if the exploit works. The only thing that he needed was someone to click where he wanted it.


I said that he had cracked Safari within seconds of the competition. This is 100% fact, and there's nothing sensationalistic about it. It would be sensationalism if I had written something like "Safari Cracked within Seconds, Apple Most Insecure Company EVARR!!!"

But I didn't. This article is simply a lineup of facts. Like it or not. As usual, you are trying to shoot the messenger.

You make is it sound that Safari fell first and therefore it is less secure but the fact is that IE or Firefox fell exactly in the same manner, regardless who performed the exploit first.


Why is it always the messenger shooting with you Apple folk? I didn't say ANYTHING about who is less secure than the other! You are just making stuff up now.

This is a simple listing of facts of how the contest went. That's all. I can't help it that your pet company's browser was the first to fall again. Only with Apple fans can journalists/bloggers be blamed for a possible Cupertino screw up.

Humm, the flaw in Safari is probably in webkit, Chrome is probably also affected.


Doesn't have to be WebKit, but could be.

Edited 2009-03-19 08:32 UTC

Reply Parent Score: 6

RE[2]: Comment by Hakime
by JonathanBThompson on Thu 19th Mar 2009 09:38 in reply to "RE: Comment by Hakime"
JonathanBThompson Member since:
2006-05-26

Thom, your reading comprehension is too low to catch this fact mentioned in the article:

He went out of his way to test the exploit before the contest to make sure it would work every time.


In other words, he did not pwn Safari on the spur of the moment in a few seconds! He went to the contest with a known-good exploit that was well-tested long before he ever walked in the door.

That being said, I'd truly love to know exactly what control over the machine he had as a result of that, as the ZDNet article is rather vague beyond stating that. I'm imagining that unless he got the user to enter their password, it wasn't quite as "total" as stated: if you can't enter the password for certain things, or do something to configure things such that you don't need it, it isn't truly total control over the machine, but it can still at least be very damaging to that user's accounts.

Reply Parent Score: 3

RE[3]: Comment by Hakime
by Thom_Holwerda on Thu 19th Mar 2009 09:45 in reply to "RE[2]: Comment by Hakime"
Thom_Holwerda Member since:
2005-06-29

In other words, he did not pwn Safari on the spur of the moment in a few seconds! He went to the contest with a known-good exploit that was well-tested long before he ever walked in the door.


I know.

Read what I wrote: "cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition."

And that's 100% accurate, exploit in hand or not.

Reply Parent Score: 4

RE[3]: Comment by Hakime
by Soulbender on Thu 19th Mar 2009 11:40 in reply to "RE[2]: Comment by Hakime"
Soulbender Member since:
2005-08-18

He went out of his way to test the exploit before the contest to make sure it would work every time.


Well, it's quite possible the other guys had also prepared for the browsers they worked on.

That being said, I'd truly love to know exactly what control over the machine he had as a result of that, as the ZDNet article is rather vague beyond stating that.


Yeah, I was also wondering how he got control over the machine from the browser. Running code, sure, but that would still only be under the user account.
Then again, having "root" isn't what most malware is interested in anyway.

but it can still at least be very damaging to that user's accounts.


Aside from not being able to change system files and configurations it can still be quite damaging. You can still run botnets from a user account, for example.

Edited 2009-03-19 11:42 UTC

Reply Parent Score: 5

RE[3]: Comment by Hakime
by Michael on Thu 19th Mar 2009 14:36 in reply to "RE[2]: Comment by Hakime"
Michael Member since:
2005-07-01

He went to the contest with a known-good exploit that was well-tested long before he ever walked in the door.

As is stated in the first sentence of the summary. This story has been covered here before so I guess Thom's just assuming we're all familiar with the facts (and it sounds like we are).

I think this competition is more about encouraging white hat hacking than exposing security flaws. So no point bickering about the results - they only prove that Charlie Miller knows his stuff.

Reply Parent Score: 4