Zero Day

Ryan Naraine and Dancho Danchev

Pwn2Own 2009: Safari/MacBook falls in seconds

By Ryan Naraine | March 18, 2009, 4:05pm PDT

Summary

[ UPDATE: IE 8 and Safari also fall ]
VANCOUVER, BC — Charlie Miller has done it again. For the second consecutive year, the security researcher hacked into a fully patched MacBook computer by exploiting a security vulnerability in Apple’s Safari browser.
“It took a couple of seconds. They clicked on the link and I took control [...]

Topics

Ryan Naraine

Blogger Info

Dancho Danchev

Bio
Contact

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

[ UPDATE: IE 8 and Safari also fall ]

VANCOUVER, BC — Charlie Miller has done it again. For the second consecutive year, the security researcher hacked into a fully patched MacBook computer by exploiting a security vulnerability in Apple’s Safari browser.

“It took a couple of seconds. They clicked on the link and I took control of the machine,” Miller said moments after his accomplishment.

The contest kicked off at exactly 3:15 PM and, within seconds, Miller launched his drive-by attack and claimed the $10,000 top prize. He also got to keep the MacBook machine.

Miller said he came to the CanSecWest security conference with a plan to hack into Safari and had tested the exploit carefully to ensure “it worked the first time.”

TippingPoint’s Zero Day Initiative has acquired the exclusive rights to the vulnerability and coordinate the disclosure and patch release process with Apple.

Technical details of the vulnerability will not be released until a patch is ready.

Several hackers are currently attempting exploits against Internet Explorer 8 and Firefox but those browsers are still standing.

See the final contest rules here.

[ UPDATE: IE 8 and Safari also fall ]

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Full Bio
Disclosure
Contact

More from “Zero Day”

Diebold ATMs infected with credit card skimming malware

CanSecWest: Caution, community at play

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

Ask a Question Start a Discussion

Talkback Most Recent of 119 Talkback(s)

Follow via:: RSS; Email Alert

Again?

Fool me once, shame on you. Fool me, twice shame on me.
Sleeper Service

03/18/2009 04:15 PM
- Reply to
- Flag
First to fall - two years in a row - in a few seconds!

Wow, OSX + Safari was the first to fall two years in a row and it fell so much quicker than the others, it's nuts. A few seconds versus hours of hacking attempts on the others? The guy who cracked it even said publicly that he picked OSX and Safari to target because it is by far the easiest of the bunch to crack. I wonder how long it will take the RDF to kick into overdrive over this news. Even on a Mac, I won't use Safari.
BillDem

03/19/2009 07:44 AM
- Reply to
- Flag
Easy Hack

It's easier than the others because of the Apple/Safari Monoculture.
You know what the OS will be, you know what the hardware is likely to be, and if there is an undisclosed vulnerability, it will stay vunerable until the one vendor who is allowed to ix it, fixes it.

However what this didn't say was whether the machine was fully patched, or which version of Safari was Pwned.

Firefox3.x is still my browser of choice on Linux, OSX and Windows. 8)
Safari4 does look nice though.
chromeronin

03/23/2009 06:49 PM
- Flag
re: Easy Hack

http://blogs.zdnet.com/security/?p=2941

"got a chance to sit down with Charlie Miller, the researcher who broke into a fully patched MacBook machine using a Safari code execution vulnerability."
rtk

03/23/2009 08:23 PM
- Flag
Need more details, please

Article also doesn't say whether this hack works remotely, or if Miller
needed to administrator's password -- which makes it a rather limited
hack, wouldn't you think.

Rather than simply gloating over hacking Safari, a better article might
have explained the set-up a little more thoroughly.
KaplanMike

03/23/2009 08:31 PM
- Flag
HAHAHAHAHAHAHAHAHA!!!!!

HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!

Plummeting computer sales.

Plummeting iPhone sales.

Plummeting security.

What a fantastic week for anyone not emotionally invested in Apple!

HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!
NonZealot

03/18/2009 04:29 PM
- Reply to
- Flag
Seems like your mouth is very wide open when...

...laughing out loud...

You could've used "ROFLMAO," though.
Grayson Peddie

03/18/2009 04:47 PM
- Reply to
- Flag
@Grayson Peddle

"Seems like your mouth is very wide open when...
...laughing out loud..."

That's why he is always sticking his foot in there.

NonZ suffers from a cronic case of foot in mouth disease.
Axsimulate

(Edited: 04/16/2009 07:32 PM)
- Flag
@NonZealot

Here NonZ click on this link and post there would you?

http://blogs.zdnet.com/security/?p=2934

"A security researcher named ?Nils? (he declined to provide his full
name) performed a clean drive-by download attack against the
world?s most widely used browser to take full control of a Sony Vaio
machine running Windows 7.

He won a cash prize and got to keep the hardware. Details of the
vulnerability, which was described by contest sponsor TippingPoint
ZDI as a ?brilliant IE8 bug!? are being kept under wraps.

Several members of Microsoft?s security response team were on hand
to witness the successful exploit."
Axsimulate

(Edited: 03/19/2009 03:24 PM)
- Reply to
- Flag
Sure I will! I'll also respond here

http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=62210&messageID=1146130

OS X still fell first and it fell within seconds meaning that OS X is officially the least secure OS out there. It was proven last year and it was just proven again.
NonZealot

(Edited: 03/18/2009 06:13 PM)
- Flag
Or...

"OS X still fell first and it fell within seconds meaning that OS X is
officially the least secure OS out there."

the most desirable prize.

Didn't all browsers fail at the same stage of the competition?
Richard Flude

03/18/2009 06:19 PM
- Flag
I have proof it isn't the most desirable prize

http://arstechnica.com/apple/news/2009/03/last-years-pwn2own-winner-says-safari-will-be-first-to-fall.ars

"Apple's products are really friendly to users, and Safari is designed to handle anything, including all kinds of file formats," said Miller. "With a lot of functionality comes the increased chance of bugs. The more complex software is, the less secure it is."

Miller believes that the other browsers won't be hacked, based on his experience. "They make it so hard that, for me, $5,000 isn't motivation enough to try to break one of those guys," he said.

So Miller (the winner) publicly stated that the other browsers, and I quote, make it so hard. Yes, he was wrong that the others wouldn't be hacked but no, his motivation was not the MacBook, it was the fact that Safari was easy and the others, and I quote, make it so hard. In other words, Safari + OS X = low hanging fruit.
NonZealot

(Edited: 03/18/2009 06:34 PM)
- Flag
Let me get this right

You quote as your expert, and present as proof, a quote which includes
"Miller believes that the other [non-Safari] browsers won't be hacked".

We now know these were hacked and Miller was wildly wrong.

You acknowledge this enormous error yet use Miller as your "proof" to
support your unsubstantiated claims. Extraordinary, but given the source
not at all unexpected;-)
Richard Flude

03/18/2009 06:40 PM
- Flag
Um, who is the better expert?

You said that the motivation for choosing OS X was the prize. The guy who won the prize said his motivation wasn't the prize but he chose OS X because it was the easiest to hack.

I didn't claim he was a hacking expert (although he did hack the seemingly unhackable OS X, if you claim he isn't an expert what you are admitting is that even an idiot can hack OS X, want to go there?), I was quoting the source.

Yes, he was wrong about hacking the other platforms but that is irrelevant to the discussion you started. Want to argue with me that he was wrong about his motivation? Want to quote a better source than Miller about why Miller chose OS X as the one he was going to hack?

HILARIOUS!!!!! You don't have to retract your post but wow, what an embarrassing thing for you to leave up there for the whole world to see.
NonZealot

(Edited: 03/18/2009 06:46 PM)
- Flag
Cross purposes

I agree Miller did not find the Macbook the most desirable prize.

However it is my understanding the browsers fell at the same stage of
the competition. This doesn't support Mac OS X being officially less
secure, nor Miller's Safari is easy whilst others too hard.
Richard Flude

03/18/2009 07:47 PM
- Flag