Pwn2Own 2009: Safari/MacBook falls in seconds

Pwn2Own 2009: Safari/MacBook falls in seconds

Summary: [ UPDATE: IE 8 and Safari also fall ]VANCOUVER, BC -- Charlie Miller has done it again.  For the second consecutive year, the security researcher hacked into a fully patched MacBook computer by exploiting a security vulnerability in Apple's Safari browser.

SHARE:

[ UPDATE: IE 8 and Safari also fall ]

VANCOUVER, BC -- Charlie Miller has done it again.  For the second consecutive year, the security researcher hacked into a fully patched MacBook computer by exploiting a security vulnerability in Apple's Safari browser.

"It took a couple of seconds.  They clicked on the link and I took control of the machine," Miller said moments after his accomplishment.

The contest kicked off at exactly 3:15 PM and, within seconds, Miller launched his drive-by attack and claimed the $10,000 top prize.  He also got to keep the MacBook machine.

Miller said he came to the CanSecWest security conference with a plan to hack into Safari and had tested the exploit carefully to ensure "it worked the first time."

TippingPoint's Zero Day Initiative has acquired the exclusive rights to the vulnerability and coordinate the disclosure and patch release process with Apple.

Technical details of the vulnerability will not be released until a patch is ready.

Several hackers are currently attempting exploits against Internet Explorer 8 and Firefox but those browsers are still standing.

See the final contest rules here.

[ UPDATE: IE 8 and Safari also fall ]

Topics: Browser, Apple, Hardware, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

121 comments
Log in or register to join the discussion
  • Again?

    Fool me once, shame on you. Fool me, twice shame on me.
    Sleeper Service
    • First to fall - two years in a row - in a few seconds!

      Wow, OSX + Safari was the first to fall two years in a row and it fell so much quicker than the others, it's nuts. A few seconds versus hours of hacking attempts on the others? The guy who cracked it even said publicly that he picked OSX and Safari to target because it is by far the easiest of the bunch to crack. I wonder how long it will take the RDF to kick into overdrive over this news. Even on a Mac, I won't use Safari.
      BillDem
      • Easy Hack

        It's easier than the others because of the Apple/Safari Monoculture.
        You know what the OS will be, you know what the hardware is likely to be, and if there is an undisclosed vulnerability, it will stay vunerable until the one vendor who is allowed to ix it, fixes it.

        However what this didn't say was whether the machine was fully patched, or which version of Safari was Pwned.

        Firefox3.x is still my browser of choice on Linux, OSX and Windows. 8)
        Safari4 does look nice though.
        chromeronin
        • re: Easy Hack

          http://blogs.zdnet.com/security/?p=2941

          "got a chance to sit down with Charlie Miller, the researcher who broke into a fully patched MacBook machine using a Safari code execution vulnerability."

          rtk
        • Need more details, please

          Article also doesn't say whether this hack works remotely, or if Miller
          needed to administrator's password -- which makes it a rather limited
          hack, wouldn't you think.

          Rather than simply gloating over hacking Safari, a better article might
          have explained the set-up a little more thoroughly.
          KaplanMike
  • HAHAHAHAHAHAHAHAHA!!!!!

    HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!

    Plummeting computer sales.

    Plummeting iPhone sales.

    Plummeting security.

    What a fantastic week for anyone not emotionally invested in Apple! :)

    HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
    HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
    NonZealot
    • Seems like your mouth is very wide open when...

      ...laughing out loud...

      You could've used "ROFLMAO," though. :)
      Grayson Peddie
      • @Grayson Peddle

        "Seems like your mouth is very wide open when...
        ...laughing out loud..."

        That's why he is always sticking his foot in there.

        NonZ suffers from a cronic case of foot in mouth disease.
        Axsimulate
    • @NonZealot

      Here NonZ click on this link and post there would you?


      http://blogs.zdnet.com/security/?p=2934

      "A security researcher named ?Nils? (he declined to provide his full
      name) performed a clean drive-by download attack against the
      world?s most widely used browser to take full control of a Sony Vaio
      machine running Windows 7.

      He won a cash prize and got to keep the hardware. Details of the
      vulnerability, which was described by contest sponsor TippingPoint
      ZDI as a ?brilliant IE8 bug!? are being kept under wraps.

      Several members of Microsoft?s security response team were on hand
      to witness the successful exploit."
      Axsimulate
      • Sure I will! I'll also respond here

        http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=62210&messageID=1146130

        OS X still fell first and it fell within seconds meaning that OS X is officially the least secure OS out there. It was proven last year and it was just proven again. :)
        NonZealot
        • Or...

          "OS X still fell first and it fell within seconds meaning that OS X is
          officially the least secure OS out there."

          the most desirable prize.

          Didn't all browsers fail at the same stage of the competition?
          Richard Flude
          • I have proof it isn't the most desirable prize

            http://arstechnica.com/apple/news/2009/03/last-years-pwn2own-winner-says-safari-will-be-first-to-fall.ars

            [i]"Apple's products are really friendly to users, and Safari is designed to handle anything, including all kinds of file formats," said Miller. "With a lot of functionality comes the increased chance of bugs. The more complex software is, the less secure it is."

            Miller believes that the other browsers won't be hacked, based on his experience. "They make it so hard that, for me, $5,000 isn't motivation enough to try to break one of those guys," he said.[/i]

            So Miller (the winner) publicly stated that the other browsers, and I quote, [i]make it so hard[/i]. Yes, he was wrong that the others wouldn't be hacked but no, his motivation was [b]not[/b] the MacBook, it was the fact that Safari was easy and the others, and I quote, [i]make it so hard[/i]. In other words, Safari + OS X = low hanging fruit. :)
            NonZealot
          • Let me get this right

            You quote as your expert, and present as proof, a quote which includes
            "Miller believes that the other [non-Safari] browsers won't be hacked".

            We now know these were hacked and Miller was wildly wrong.

            You acknowledge this enormous error yet use Miller as your "proof" to
            support your unsubstantiated claims. Extraordinary, but given the source
            not at all unexpected;-)
            Richard Flude
          • Um, who is the better expert?

            You said that the motivation for choosing OS X was the prize. [b]The guy who won the prize said his motivation wasn't the prize but he chose OS X because it was the easiest to hack.[/b]

            I didn't claim he was a hacking expert (although he did hack the seemingly unhackable OS X, if you claim he isn't an expert what you are admitting is that even an idiot can hack OS X, want to go there?), [b]I was quoting the source[/b].

            Yes, he was wrong about hacking the other platforms but that is irrelevant to the discussion [b]you started[/b]. Want to argue with me that he was wrong about his motivation? Want to quote a better source than Miller about why Miller chose OS X as the one he was going to hack?

            HILARIOUS!!!!! You don't [b]have[/b] to retract your post but wow, what an embarrassing thing for you to leave up there for the whole world to see. :)
            NonZealot
          • Cross purposes

            I agree Miller did not find the Macbook the most desirable prize.

            However it is my understanding the browsers fell at the same stage of
            the competition. This doesn't support Mac OS X being officially less
            secure, nor Miller's Safari is easy whilst others too hard.
            Richard Flude
          • Now hold the phone a sec...

            While it IS true that Miller said that he didn't think the other browsers would fall, didn't he also say that even TRYING to hack them wasn't worth the $5,000 prize? For all we know, he may have barely taken a cursory glance at them and moved on to the easy pickins?

            Sounds more to me that Miller's just lazy...
            Wolfie2K3
          • I wonder why....

            if OSX is so easy to get into, there are virtually no exploits out in
            the wild Internet to take advantage of this supposed fact. When I
            read that thousands of Apple's computers have fallen prey to a
            piece of malware similar to the Conficker/downadup worm, I
            might begin to get concerned about it. Someone please wake me
            up if/when that happens.
            arminw
          • Wake Up

            How do you KNOW there is nothing out there in the wild?

            Gone are the days of putting a 'you've been hacked' message on the screen.

            Today's hackers want to steal information and accounts. The longer they stay under the radar the better.

            There may be hundreds of infected computers and the corresponding ID thefts that are only good as long as they are not noticed.
            The Smoking Man
          • you need to smell that the apple is cooking

            http://news.google.com/news?oe=UTF-8&sourceid=navclient&gfns=1&q=mac+botnet&um=1&ie=UTF-8&hl=en&ei=7TQDSv6rG5i8tAPezbDgAQ&sa=X&oi=news_group&resnum=1&ct=title

            Really, you missed this? Somehow? OK, your days of security through obscurity are *over*. One of the key things that allowed this malware to deploy and get onto machines is the fact that Mac users are *not* taught how to look at processes or dig under the hood. They allow something to run because they have a (now proving to be false) sense of security.

            Welcome to the world, I hope that living in a small box in the mountains that no one visits has provided you with enough social interaction that you can come down from that cloudy perch and join the rest of the world and our amazing flying cars and telepathy that we've been developing for the 20 years you've been ignorant of civilization.
            ariesghost
        • NZ, give appropriate credit...

          It was secondS. There's an "s" on the end there. It's not like it fell on the first second. (Or the second second...) :p
          MGP2