Linked by Thom Holwerda on Thu 19th Mar 2009 06:44 UTC, submitted by Moulinneuf
Privacy, Security, Encryption As he had already predicted, cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition. "It took a couple of seconds. They clicked on the link and I took control of the machine," Miller said after his accomplishment. He took home the USD 10000 prize, as well as the MacBook he performed the exploit on. Internet Explorer 8 fell a while later by cracker Nils, who also cracked Safari and Firefox after being done with IE8.
Thread beginning with comment 353859
To read all comments associated with this story, please click here.
Which version?
by darknexus on Thu 19th Mar 2009 08:50 UTC
darknexus
Member since:
2008-07-15

Anyone know which version of Safari he cracked? Was it 3.2.1 or the 4 beta?

Reply Score: 2

RE: Which version?
by steviant on Thu 19th Mar 2009 12:13 in reply to "Which version?"
steviant Member since:
2006-01-11

Anyone know which version of Safari he cracked? Was it 3.2.1 or the 4 beta?


They used Safari 4 running on an up-to-date version of Leopard, versus the latest Windows 7 and IE8, so it's possible that whatever bug was exploited is fixed in 10.6 or the latest WebKit nightlies, but I'd be very surprised. On the face of things it seems like a pretty fair competition.

From canwestsec.com:

On the browser side, we will be running the latest bleeding edge version of each browser platform we can get our hands on (Yes that means the Safari 4 beta, the latest build of IE8 we can get our hands on, and the upcoming FireFox release) on each of the two prize laptops (for the corresponding multi-os browsers).

Reply Parent Score: 1

RE[2]: Which version?
by polaris20 on Thu 19th Mar 2009 15:44 in reply to "RE: Which version?"
polaris20 Member since:
2005-07-06

"Anyone know which version of Safari he cracked? Was it 3.2.1 or the 4 beta?


They used Safari 4 running on an up-to-date version of Leopard, versus the latest Windows 7 and IE8, so it's possible that whatever bug was exploited is fixed in 10.6 or the latest WebKit nightlies, but I'd be very surprised. On the face of things it seems like a pretty fair competition.

From canwestsec.com:

On the browser side, we will be running the latest bleeding edge version of each browser platform we can get our hands on (Yes that means the Safari 4 beta, the latest build of IE8 we can get our hands on, and the upcoming FireFox release) on each of the two prize laptops (for the corresponding multi-os browsers).
"

So a beta browser on OS X is cracked, and a beta browser on a beta operating system is cracked (Win7).

Does anyone know if these exploits are also in the production versions of the browsers/OS's in question? Because otherwise this feat of cracking a beta product is somewhat diminished.

I for one don't run beta browsers or OS's on anything other than test machines or VM's, never in a production environment where security is a concern.

Reply Parent Score: 3