Linked by Thom Holwerda on Thu 19th Mar 2009 06:44 UTC, submitted by Moulinneuf
Privacy, Security, Encryption As he had already predicted, cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition. "It took a couple of seconds. They clicked on the link and I took control of the machine," Miller said after his accomplishment. He took home the USD 10000 prize, as well as the MacBook he performed the exploit on. Internet Explorer 8 fell a while later by cracker Nils, who also cracked Safari and Firefox after being done with IE8.
Thread beginning with comment 353858
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Money
by Thom_Holwerda on Thu 19th Mar 2009 08:47 UTC in reply to "Money"
Thom_Holwerda
Member since:
2005-06-29

Definitely true. Which is why Microsoft is actively seeking out people like Miller and paying/employing them to do just that,and it's also why they actually had people present during the contest. That's what we call an active security policy.

But let's face it, Microsoft needed such a policy. Vista and 7 are doing much better now, though. Apple has had no reason to do this, and this exploit probably doesn't really change anything about that. This exploit might be fun and all, but it doesn't really change the fact that Mac OS X is still pretty secure.

Then again, so are Linux, Vista, and 7. Security is no longer really a reason to specifically pick either of those (well, unless Microsoft stays in retard mode and doesn't fix the broken UAC in Windows 7).

Edited 2009-03-19 08:49 UTC

Reply Parent Score: 3

RE[2]: Money
by kragil on Thu 19th Mar 2009 09:50 in reply to "RE: Money"
kragil Member since:
2006-01-04

I call BS.

I attended the chaos communication congress in berlin a few times and talked to people who exploit systems for a living and they say if you want to be really safe you have to use a system with little marketshare and with great security.

That is why in the real world you are way way more secure running a Linux distro with SELinux enabled throughout (like Fedora) or AppArmor, Smack etc. Or maybe even better OpenBSD (similar security, even less marketshare)

Edited 2009-03-19 09:51 UTC

Reply Parent Score: 1

RE[3]: Money
by sakeniwefu on Thu 19th Mar 2009 15:52 in reply to "RE[2]: Money"
sakeniwefu Member since:
2008-02-26


That is why in the real world you are way way more secure running a Linux distro with SELinux enabled throughout (like Fedora) or AppArmor, Smack etc. Or maybe even better OpenBSD (similar security, even less marketshare)


That is true(only marketshare has nothing to do with it as long as you don't use windows), but most people get carried away by benchmarks. OpenBSD won't ever compare favorably to Windows or vanilla Linux in benchmarks. And people want their games and browsers and videos at 3000 fps.

If you want your OS to be used, you cannot start putting canaries in your stack, making allocations with byte granularity and randomizing the positions of everything.

Linux has gotten a bit better lately, and there is SELinux(ahem), but I don't see a default Ubuntu installation ever including half of it.

As long as you can more or less follow an introduction to Hacking tutorial with your OS it means it is insecure as hell and you are just lucky of not having been targeted yet.

Reply Parent Score: 2

RE[2]: Money
by paws on Thu 19th Mar 2009 15:54 in reply to "RE: Money"
paws Member since:
2007-05-28

Once more for the hard of hearing: Safari was taken down, yes, but not in seconds. The guy spent hours, days, weeks, maybe months looking for this whole, then even more time writing code that performed the exploit. Then he ran, and that apparently only took seconds. Big f--king deal.

My personal web site generation framework has I don't know how many hundreds of hours of work put in it, but it spits out pages in usually somewhere between ten and twenty miliseconds. That says nothing about the effort involved (well, it does, in that it did take a bit of optimisation to get it to run faster).

That Firefox and IE took longer to fall just means that the people who went after them weren't as well prepared, or possibly less talented than whatshisface here. Noone shows up to this kind of thing and then start looking for exploits.

ERGO: the non-sensationalist headline for this story would be something like "BROWSERS STILL SUCK AT THE SECURITIES".

End message.

Reply Parent Score: 5

RE[3]: Money
by macUser on Thu 19th Mar 2009 16:15 in reply to "RE[2]: Money"
macUser Member since:
2006-12-15

Once more for the hard of hearing: Safari was taken down, yes, but not in seconds. The guy spent hours, days, weeks, maybe months looking for this whole, then even more time writing code that performed the exploit. Then he ran, and that apparently only took seconds. Big f--king deal.

My personal web site generation framework has I don't know how many hundreds of hours of work put in it, but it spits out pages in usually somewhere between ten and twenty miliseconds. That says nothing about the effort involved (well, it does, in that it did take a bit of optimisation to get it to run faster).

That Firefox and IE took longer to fall just means that the people who went after them weren't as well prepared, or possibly less talented than whatshisface here. Noone shows up to this kind of thing and then start looking for exploits.

ERGO: the non-sensationalist headline for this story would be something like "BROWSERS STILL SUCK AT THE SECURITIES".

End message.


I'd mod you up, but I already responded. Couldn't have said it better!

Reply Parent Score: 1

RE[3]: Money
by macUser on Thu 19th Mar 2009 16:16 in reply to "RE[2]: Money"
macUser Member since:
2006-12-15

dupe post

Edited 2009-03-19 16:17 UTC

Reply Parent Score: 1

RE[3]: Money
by tupp on Thu 19th Mar 2009 19:18 in reply to "RE[2]: Money"
tupp Member since:
2006-11-12

That Firefox and IE took longer to fall just means that the people who went after them weren't as well prepared, or possibly less talented than whatshisface here.

Or, more likely, it means that Safari is easier to crack, even though the Firefox an IE crackers prepared just as much as "whatshisface."


Noone shows up to this kind of thing and then start looking for exploits.

Of course.

All of the crackers prepared in advance, and Safari was the easiest and quickest to crack.

So, the headline should read: "SAFARI ONCE AGAIN SHOWN TO BE THE EASIEST TO CRACK, IN SPITE OF APPLE FANBOYS' ATTEMPTS TO SPIN OTHERWISE."

End of story.

Reply Parent Score: 4

RE[3]: Money
by segedunum on Sun 22nd Mar 2009 00:43 in reply to "RE[2]: Money"
segedunum Member since:
2005-07-06

Once more for the hard of hearing: Safari was taken down, yes, but not in seconds.

Yes it was because it took very little time for exploit to actually do its job.

The guy spent hours, days, weeks, maybe months looking for this whole, then even more time writing code that performed the exploit. Then he ran, and that apparently only took seconds. Big f--king deal.

The Apple fanboys are so funny.

Yes, he did come with a pre-prepared exploit in his pocket. However, he and others did exactly the same to other operating systems and browsers and found nothing, and if they did it was very, very little. He knew he was going to be able to exploit OS X and Safari regardless of how much time he spent on it.

Yer. It really isn't a big deal at all.

Edited 2009-03-22 00:48 UTC

Reply Parent Score: 2