Linked by Thom Holwerda on Thu 19th Mar 2009 06:44 UTC, submitted by Moulinneuf
Privacy, Security, Encryption As he had already predicted, cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition. "It took a couple of seconds. They clicked on the link and I took control of the machine," Miller said after his accomplishment. He took home the USD 10000 prize, as well as the MacBook he performed the exploit on. Internet Explorer 8 fell a while later by cracker Nils, who also cracked Safari and Firefox after being done with IE8.
Thread beginning with comment 353933
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Which version?
by polaris20 on Thu 19th Mar 2009 15:44 UTC in reply to "RE: Which version?"
Member since:

"Anyone know which version of Safari he cracked? Was it 3.2.1 or the 4 beta?

They used Safari 4 running on an up-to-date version of Leopard, versus the latest Windows 7 and IE8, so it's possible that whatever bug was exploited is fixed in 10.6 or the latest WebKit nightlies, but I'd be very surprised. On the face of things it seems like a pretty fair competition.


On the browser side, we will be running the latest bleeding edge version of each browser platform we can get our hands on (Yes that means the Safari 4 beta, the latest build of IE8 we can get our hands on, and the upcoming FireFox release) on each of the two prize laptops (for the corresponding multi-os browsers).

So a beta browser on OS X is cracked, and a beta browser on a beta operating system is cracked (Win7).

Does anyone know if these exploits are also in the production versions of the browsers/OS's in question? Because otherwise this feat of cracking a beta product is somewhat diminished.

I for one don't run beta browsers or OS's on anything other than test machines or VM's, never in a production environment where security is a concern.

Reply Parent Score: 3

RE[3]: Which version?
by steviant on Sat 21st Mar 2009 04:57 in reply to "RE[2]: Which version?"
steviant Member since:

In an interview with ZDnet, Charlie Miller has stated that his exploit also works on Safari 3, and that it was one option he could have used to win last year's competition.

Perhaps more interestingly he also claims that Mac OS X's lack of support for No eXecute memory and address space randomization makes it much easier to exploit OS X than Windows once a bug has been identified.

Reply Parent Score: 1