Linked by Thom Holwerda on Thu 19th Mar 2009 06:44 UTC, submitted by Moulinneuf
Privacy, Security, Encryption As he had already predicted, cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition. "It took a couple of seconds. They clicked on the link and I took control of the machine," Miller said after his accomplishment. He took home the USD 10000 prize, as well as the MacBook he performed the exploit on. Internet Explorer 8 fell a while later by cracker Nils, who also cracked Safari and Firefox after being done with IE8.
Thread beginning with comment 353857
To read all comments associated with this story, please click here.
by henrikmk on Thu 19th Mar 2009 08:43 UTC
Member since:

From the article above:

That fact highlights that, in reality, the platforms and browsers involved aren't targeted by a series of equal attacks. Instead, researchers arrive with exploits they hope to use against vulnerabilities they are aware of in specific platforms or browsers, but have not yet reported. Were they to report the exploits in advance, they would be patched by the vendor. There's no money in that, so the contest provides an incentive to report vulnerabilities.

If it's all so money motivated, perhaps Apple should simply pay Charlie Miller $500 every time he finds a valid security hole in an Apple application. Since he seems to be so good at it, they should take advantage of it. That would be cheaper for them than having headlines like this, which is likely to cost them a few Mac purchases (but not that many).

Edited 2009-03-19 08:44 UTC

Reply Score: 6

RE: Money
by Thom_Holwerda on Thu 19th Mar 2009 08:47 in reply to "Money"
Thom_Holwerda Member since:

Definitely true. Which is why Microsoft is actively seeking out people like Miller and paying/employing them to do just that,and it's also why they actually had people present during the contest. That's what we call an active security policy.

But let's face it, Microsoft needed such a policy. Vista and 7 are doing much better now, though. Apple has had no reason to do this, and this exploit probably doesn't really change anything about that. This exploit might be fun and all, but it doesn't really change the fact that Mac OS X is still pretty secure.

Then again, so are Linux, Vista, and 7. Security is no longer really a reason to specifically pick either of those (well, unless Microsoft stays in retard mode and doesn't fix the broken UAC in Windows 7).

Edited 2009-03-19 08:49 UTC

Reply Parent Score: 3

RE[2]: Money
by kragil on Thu 19th Mar 2009 09:50 in reply to "RE: Money"
kragil Member since:

I call BS.

I attended the chaos communication congress in berlin a few times and talked to people who exploit systems for a living and they say if you want to be really safe you have to use a system with little marketshare and with great security.

That is why in the real world you are way way more secure running a Linux distro with SELinux enabled throughout (like Fedora) or AppArmor, Smack etc. Or maybe even better OpenBSD (similar security, even less marketshare)

Edited 2009-03-19 09:51 UTC

Reply Parent Score: 1

RE[2]: Money
by paws on Thu 19th Mar 2009 15:54 in reply to "RE: Money"
paws Member since:

Once more for the hard of hearing: Safari was taken down, yes, but not in seconds. The guy spent hours, days, weeks, maybe months looking for this whole, then even more time writing code that performed the exploit. Then he ran, and that apparently only took seconds. Big f--king deal.

My personal web site generation framework has I don't know how many hundreds of hours of work put in it, but it spits out pages in usually somewhere between ten and twenty miliseconds. That says nothing about the effort involved (well, it does, in that it did take a bit of optimisation to get it to run faster).

That Firefox and IE took longer to fall just means that the people who went after them weren't as well prepared, or possibly less talented than whatshisface here. Noone shows up to this kind of thing and then start looking for exploits.

ERGO: the non-sensationalist headline for this story would be something like "BROWSERS STILL SUCK AT THE SECURITIES".

End message.

Reply Parent Score: 5