ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Pwn2Own hacker: Apple Safari is 'easy pickings'

By | March 3, 2009, 9:05am PST

Summary: Charlie Miller, the security researcher who won last year’s Pwn2Own hacker contest, is predicting that Apple’s Safari browser will be the easiest target this year. In a note posted on the popular Daily Dave mailing list, Miller describes Safari as “easy pickin’s” and forecasts that at least four zero-day Safari flaws will be used during the [...]

Charlie Miller, the security researcher who won last year’s Pwn2Own hacker contest, is predicting that Apple’s Safari browser will be the easiest target this year.

In a note posted on the popular Daily Dave mailing list, Miller describes Safari as “easy pickin’s” and forecasts that at least four zero-day Safari flaws will be used during the contest at CanSecWest later this month.

[ SEE: Pwn2Own hacker contest targets browsers, smart phones ]

This year’s contest will pit hackers against browsers and smart phones with Internet Explorer, Firefox, Safari, Opera and Chrome among the high-profile targets.  It will also include attacks against fully patched BlackBerry, Android, iPhone, Symbian and Windows Mobile phones in their default configurations.

Here are Miller’s predictions:

  • Safari: hacked by 4 different people.  Easy pickin’s as usual.
  • Android: hacked by 1 person.  Not too tough but no one owns one.
  • IE8, Firefox: Survive unscathed.  The bugs to exploit equation is too hard for $5k.
  • iPhone, Symbian: Survive due to non-executable heap.
  • Blackberry, Windows Mobile, Chrome: I don’t know enough to say anything intelligent.  That said, they’re probably hard/obscure and so survive.

Last year, Miller exploited a Safari flaw to hijack a fully patched MacBook Pro machine.  He is also known for launching successful attacks against Apple’s iPhone and Google’s Android platform.

ALSO SEE: 10 questions for MacBook hacker Dino Dai Zovi

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple Safari, Apple Inc., Hacker, Hacking, Smart Phones, Web Browsers, Security, Handhelds, Consumer Electronics, Personal Technology, Internet, Hardware, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
71
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Pwn2Own hacker: Apple Safari is 'easy pickings'
birumut Updated - 3rd May 2011
Great !!! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
This would be the Charlie Miller
frgough 3rd Mar 2009
who won by cheating, correct? By using an already known Perl exploit
that Apple hadn't patched yet in OS X.

The event organizers know he cheated, but didn't have the onions to call
him on it. Well, actually, they were just thrilled as hell that Apple got
taken down a notch, so they really didn't care that the guy cheated.
0 Votes
+ -
That would the the vulnerability
honeymonster Updated - 3rd Mar 2009
that Apple neglected to patch, leaving it open
for every would-be attacker in the world to use
to attack the invulnerable mac for
almost an entire year?

Was that the flaw? What does that say about
Apple diligence?

Seems to me that with that kind of attention to
their customers security, calling Safari as the
first victim isn't too hard. Miller has first-
hand experience.

He also said "every time I go looking for a
vulnerability in some Apple software, I find
one".
0 Votes
+ -
@honeymonster
Axsimulate 3rd Mar 2009
An entire year? Wow! What's does that say about Microsoft when the conficker worm exploits a vulnerability that is in Windows and has been for at least 9 years. From Windows 2000, XP, Vista to even Windows 7 is effected.

http://en.wikipedia.org/wiki/Conficker

Apparently somebody else thinks that every time they go through Microsoft software, they find holes.
0 Votes
+ -
An unfound exploit
LiquidLearner 3rd Mar 2009
in the RPC stack that has existed for years, patched immediately after discovery, is not the same. Guess what. This vulerability was technically there last year. No one knew it existed. So the fully patched machine didn't fall. And guess what else? The exploit has been fixed, so currently a fully patched PC wouldn't be vulnerable either.

But hey, tell yourself whatever you wish. I'm all for Apple creating this "invincible" culture of users that will be so incredibly easy to attack because no one will know any better. Imagine how easy it is, even today, to get a socially engineered exploit onto a Mac. A whole lot easier than Windows, there's just far more Windows users so you have a better chance at hitting something.
0 Votes
+ -
@LiquidLearner
Axsimulate 3rd Mar 2009
"Imagine how easy it is, even today, to get a socially engineered exploit onto a Mac. A whole lot easier than Windows"

If it's so easy, where are they then?
0 Votes
+ -
I'm guessing you missed..
rtk 3rd Mar 2009
OSX.Trojan.iServices.A where tens of thousands of OS X users installed a trojan with pirated iLife?

Or how about OSX.RSPlug.A where tens of thousands of OS X users installed a trojan with a porn video lure.

All you have to do is look.
0 Votes
+ -
@rtk
Axsimulate Updated - 4th Mar 2009
Oh wow! all two of them! Yes I am aware of them.

OSX.Trojan.iServices.A: up to 20,000 infected
OSX.RSPlug.A 49: infected

Conficker: 9-20+ million infected And that is only one of over 20,000 for Windows.

So I ask you again where is this tidal wave of viruses, worms and trojans for the Mac that that the winzealots keep saying is going to happen anyday now? I'm not saying OS X is perfect, it has it's share of security issues, but two of them hardly count.
0 Votes
+ -
@rtk
nblackmarr@... 4th Mar 2009
Oh, thats right, the ones where people had to enter their pass word to
install them... lol.
0 Votes
+ -
Yeah, that's the one where they gave the domain admin...
hasta la Vista, bah-bie 4th Mar 2009
...a bottle of Jim Beam. Good hack.

LOL... grin
0 Votes
+ -
@nblackmarr
rtk 4th Mar 2009
reread the thread, we're talking about social engineering, not remote exploits.

Getting foolish users to type in their password is just about the definition of social engineering.

Point in fact, all three systems withstood day one of last year's pwn2own, remote hacks only.
0 Votes
+ -
@rtk
Axsimulate 4th Mar 2009
You better go back and reread the info about Conficker. It can install itself a couple of different ways, one of which auto installs just by inserting a USB flash drive (if you have autorun turn on, which it is by default and even MS said this will not fully protect you). That is not social engineering no matter how you try to spin it.
0 Votes
+ -
@Axsimulate
rtk 4th Mar 2009
Where does the infected USB drive come from? Someone tricks me into plugging it in?

Sneaking a physical device onto a user's machine is the very definition of social engineering.

Enterprises that were hit lack patch management and sane administration. Consumers were just foolish, convinced by other clueless users to not install the patch or turn off auto updating.
0 Votes
+ -
You'll never get an straight answer, Axsimulate
hasta la Vista, bah-bie Updated - 4th Mar 2009
I've been asking them that for Linux for months now. They no can do.
0 Votes
+ -
What's the numbers on Apple users
gkrwc 4th Mar 2009
that got hacked
be interesting to know
and the steps ( should be known )
to avoid such unpleasant events .
0 Votes
+ -
@gkrwc
Axsimulate 4th Mar 2009
OSX.Trojan.iServices.A: up to 20,000 infected
OSX.RSPlug.A 49: infected
0 Votes
+ -
Blah Blah Blah
DannyO_0x98 3rd Mar 2009
First time I saw an assertion of it as cheating and I don't think it was or
is. Let us not be apologists when Apple gets caught with its pants down.
(For the record, yes, if Apple installs something on my system, I consider
it responsible for keeping it up to date, even if a third party wrote it.)
0 Votes
+ -
Seems fair to me
rapson 3rd Mar 2009
A known exploit that hasn't been patched yet seems like perfectly fair game. How is it "cheating"? Did the rules say it must be a previously unknown exploit?

Carl Rapson
0 Votes
+ -
frgough now this is rich!!!
CrashPad 4th Mar 2009
You call a security expert, one who uses what is made available by the code presented a cheat??? I think you do have too much koolaid in your system. The exploit is there and was used. A huge embarrasment to Apple again. You do know that Apple patched OSx for exploits more often that any other OS Linux was next. Just reward man, Just rewards!!!
0 Votes
+ -
Cheating?
rjacksix 4th Mar 2009
He used a known exploit and that is cheating...hardly.

It is not about finding new exploits, it is about exploiting the box as is, were is, FASTEST.

It was pwned...get over it.
0 Votes
+ -
pwned complete
paul_bruford@... 4th Mar 2009
mac user get over it???
I think they need to get over themselves first grin
0 Votes
+ -
cheating?
aussieblnd@... 4th Mar 2009
haha you gotta be Kidding if the Exploit is not patched it's open season baby! That's not cheating it's taking advantage of a know flaw.
0 Votes
+ -
This year
mjolnar@... 4th Mar 2009
If Apple got taken down a notch last year, this year they got taken down 4 notches. That is unless Apple left the pearl glitch go for another year. Apple isn't a safe O/S anymore. They wanted to go head to head with MS, they couldn't compete. Firefox and IE8 were both better than Safari, see what happens when you are too conceited?
0 Votes
+ -
There was no cheating. Otherwise he wouldn't have qualified...
ye 3rd Mar 2009
...for the money and the laptop.
0 Votes
+ -
nope, sorry.
rtk 3rd Mar 2009
he obviously cheated, lied, or it was an inside job, it required a user to stand on his or her head and suck kooliad through a hollowed out firewire cable.

Mac's are invulnerable, and only cheating would take down OS X.
0 Votes
+ -
@rtk
lost65 5th Mar 2009
You are joking right? All systems have flaws and can be hacked. It does not matter what OS Linux, Windows, Mac, UNIX or what not. Some are harder than others. If he used a know issue to hack the Mac that was fully patch that is not cheating, that is called using what he knows to be flawed
0 Votes
+ -
....
Badgered 5th Mar 2009
You are joking right?

Yes... he was.
0 Votes
+ -
@lost65
rtk 5th Mar 2009
Yup, I was being sarcastic.

Just pointing out the ridiculous lengths a iFanbot will go to to attempt to excuse their religion's failures.
0 Votes
+ -
Crackers never cheat.
NonZealot 3rd Mar 2009
It doesn't count because it was supposed to be an unknown flaw in a fully patched system. Since this was a known flaw in a fully patched system, no cracker would ever use it because they have a system of ethics that stop them from using known flaws to attack systems.

Sheesh Carl, this is common knowledge to every Apple apologist!
0 Votes
+ -
Hey NZ...
MGP2 3rd Mar 2009
A little off topic, but I figured if ANYONE could appreciate this, it would be you.

http://arstechnica.com/apple/news/2009/03/macbook-air-users-reporting-repair-issues-with-broken-hinges.ars

Some MacBook Airs, regardless of warranty status, are being denied free repair because Apple is claiming the hinge problem is "accidental damage," which is not covered under the terms of Apple's normal or extended warranty coverage. Apple has, instead, been offering to instead fix the machine for a flat $800.
0 Votes
+ -
No surprise
honeymonster 4th Mar 2009
Apple has a history of bad hardware quality, of
being dismissive of warranty claims, of
deleting messages regarding such from their
forums.

The Apple cult is impressively forgiving. My
friend just had a repair to her iMac. It was
the infamous "lines" which eventually led to
the display going all black/white. They changed
the mainboard and charged her $800. And this
was just outside the warranty.

The problem started well inside the warranty
period. But she was told that it was normal
behavior. If the display didn't come up she
should just power off and on again. When the
display chip (I assume) finally broke outside
the warranty period.

Still she swears by Apple. Amazing.
0 Votes
+ -
That RDF...
tikigawd 4th Mar 2009
it's a powerful bizznatch.

Quite amazing indeed.
0 Votes
+ -
@honeymonster
Axsimulate 4th Mar 2009
Really? Then how do you explain this...

http://www.changewave.com/assets/alliance/reports/consumer_spending_20090218press/pc_20090218pr.pdf
0 Votes
+ -
Koolaid baby koolaid
CrashPad 4th Mar 2009
The religious like zeal of Apple fanbois is a well documented and treatable form of psychosis.
Just kidding, no treatment has been found.
0 Votes
+ -
It's contagious
hasta la Vista, bah-bie 4th Mar 2009
Ever since the RDF has hit the Redmond glee club...
0 Votes
+ -
Most mac owners are finacially well off. You have to be to afford one.
invmgr@... 5th Mar 2009
So they don't mind paying more for in warranty repairs, than it would cost to purchase a new better equiped winblows unit.
Not being a rich elitist myself. Apple tried to convince me the warranty date started from the Manufacture date rather than my purchase date. Taking more than 4 weeks of phone calls, faxes, emails, blood pressure spikes, and flat out screaming matches, to finally get them to step up do the right thing. It was the last apple product I'll ever buy.

Deliver good products and service, I'm a customer for life. Feed me a line a bullcr@p, try to steal from me, and I'll burn you every chance I get.
0 Votes
+ -
I hear ya
tikigawd 5th Mar 2009
Same story here, buddy.

But it's amazing how the RDF still works on some people even after crap like this happens to them.

And to top it off they are arrogant about it. "Genius Bar?" One word: WOW
0 Votes
+ -
@invmgr
Axsimulate Updated - 5th Mar 2009
I'm not financially well off, but I still own some. And I know some others in the same position. Your theory has major holes.
No company is perfect. Apple, Dell, HP, etc. I've had good and bad experiences from all of the above mentioned.
0 Votes
+ -
Not Microsoft!
hasta la Vista, bah-bie 5th Mar 2009
No company is perfect. Apple, Dell, HP, etc. I've had good and bad experiences from all of the above mentioned.

Nawww, say it ain't so, joe!

happy
0 Votes
+ -
@b8375629
Axsimulate 6th Mar 2009
LOL! I was thinking in the line of hardware. However, I have had good and bad with MS as well.
0 Votes
+ -
I said "Most". If you pay cash for a new Mac, you're financially well off.
invmgr@... 6th Mar 2009
Everything being perspective.
If you had to purchase yours on Sub-prime loans, then I'm sorry for you.

Today, Fry's has a 15.4" acer laptop 2gb, 160gb, dvd writer, wifi, etc... $379.

One could buy 3 of them for the cost of a single comparable mac. Yes, No?
Or purchase 2 for the cost of repairing a single mac. Again, right or wrong?

I've also had good/bad experience with other vendors. But never so blatant or drawn out. 4 WEEKS! After emailing AND Faxing my receipt, I had to fill out some funky warranty request form and snail mail it to them. Wait for the approval to be mailed back then package the unit and send it in. 2 more weeks on top of the 4 weeks to get Apple to begrudgingly acknowledge my obvious legitimate claim.
Lesson Learned.
0 Votes
+ -
@ invmgr
Axsimulate 6th Mar 2009
It's unfortunate you have the issues you've had. In my 24 years of working with Macs I've never experienced anything like that. The longest it's ever taken me to get a Mac back from repair was 5 days. Quickest was same day. I think your issue was more isolated and unfortunate. It's not the norm.
0 Votes
+ -
balaknair 4th Mar 2009
That was genuinely funny(and sadly also the the post that makes the most sense).

Thank you for giving me something to smile about.
0 Votes
+ -
RE: Pwn2Own hacker: Apple Safari is 'easy pickings'
johnpall@... 4th Mar 2009
You mouth off about this but 1 simple fact
remains & that's the fact that i always have to
remove spy/adware & virus's etc off Windows
XP i never ever have to do anything but clean up
an inexperienced Mac users hard drive cause as
we experienced users know they think they
have an infinite amount of storage, other than
this spam & repair disk permissions i don't
really do much else.
0 Votes
+ -
RE: Pwn2Own hacker: Apple Safari is 'easy pickings'
Sirgwain 4th Mar 2009
Why the hell does Apple rush a "new" build to public release when it IS a piece of ****? I'll never use Safari because of it's track record. WHEN there is a security hole, Apple is VERY SLOW to fix it and doesn't seem to give a damn about how many people are affected by their slothful response time to patch the problem!Makes me think TWICE about buying an Apple computer--if their software is crap, then perhaps, their hardware is as well.
0 Votes
+ -
Actual Numbers
Jkirk3279 4th Mar 2009
I hear a lot of spite about Apple not patching that Perl vulnerability, and not "giving
a damn about how many people are affected by their slothful response time".

Okay, put up or shut up.

How many Mac users have ACTUALLY been hacked using this obscure vulnerability,
"in the wild" ?

Hmmm.

Tick, Tock, Tick, Tock.

BZZZZ !

Sorry, you ran out of time. The answer is: NONE.

There had been NO reports of Mac users being actually attacked in this way.

And the way the press jumps on every little thing where Apple is concerned, I can't
believe the story wouldn't have gotten out.

People are STILL repeating the story about Apple laptops bursting into flame, and as
far as I can tell it only happened when Apple was testing a new Sony battery pack...
for a grand total of two times.

So why wasn't the exploit used?

Several reasons.

1) Most Mac users just wouldn't do that to our platform, and Windows users don't
know diddly squat about the Mac or Mac programming.

2) Most 'black hats' are attracted to OTHER platforms and focus on what they're
familiar with.

3) The number of people who actually KNEW about the vulnerability were few even
among those who could use it.

4) It ONLY works if you can trick people into coming to the rigged website.



So it's just another Social Engineering hack, really.

Apple can NOT protect someone who enters their password and installs a trojan, for
example.

So, should Apple have acted sooner?

You bet !

But there wasn't much of a sense of urgency.

And BTW, your slam against Apple hardware is just pure crap. Apple wins awards
for their hardware quality, from PC magazines, no less.
0 Votes
+ -
interesting...
dlancelot 4th Mar 2009
plenty of feelings in these conversations but not a ton of facts. I would like to comment on the last section of your comment Jkirk3279 in regards to:

"And BTW, your slam against Apple hardware is just pure crap. Apple wins awards
for their hardware quality, from PC magazines, no less."

The only thing I have seen that is actually "Apple hardware" is the cosmetic part of the computer. The insides from what I have seen so far are the same companies that make computers for Dell, HP, heck, even joe schmoe's computer closet...lite-on burners, intel chipsets/cpu's, nvidia or ATI video cards, seagate hard drives etc.

*just for the record, I sell both PC's and Macs...there is the right solution for a certain type of client. Not all clients need the same solution...so to say everyone should be using a Dell (optiplex or latitude) because the warranty is better than anyone else would be like saying everyone should have a mac because it looks cool.
0 Votes
+ -
Uhm, no
Jkirk3279 22nd May 2009
"The only thing I have seen that is actually "Apple hardware" is the cosmetic
part of the computer."

That's like saying the only part that makes a Toyota a Toyota is the motor.

After all, the window glass, the steel in the frame, the wiring, light bulbs; all
that's third-party, right?

No different from a Chrysler?

And yet I'm sure satisfied Toyota owners would tell you it's the package that
matters: the quality of the final result.

Dell, for example, makes their laptops and takes credit for the results:
combined with their customer service, that equals their corporate reputation.

I've heard that IBM Thinkpads were good, back when they still owned that
division.

I'm a little tired of the whole "it's not a forest, it's just a bunch of trees"
argument.

Try giving Joe Schmoe the aluminum, plastic, hard drive, RAM, logic chip and a
battery and see what quality laptop he wires together.

It's more than the parts. It's the design.
0 Votes
+ -
Why wasn't the exploit used?
nfhiggs@... 4th Mar 2009
2) Most 'black hats' are attracted to OTHER platforms and focus on what they're
familiar with.

That's because Black Hat hackers are now in it for the money. That means they need to attack platforms with a large installed user base. If you are thief looking to score big do you look at the local corner drug store, or the major bank across the street?

3) The number of people who actually KNEW about the vulnerability were few even
among those who could use it.

And that makes it ok for Apple to 'place it on the back burner'? Besides, it does not matter how many people know about the exploit if the desire to hack the platform is not there to begin with.

4) It ONLY works if you can trick people into coming to the rigged website.

LOL - that's a weak argument if I ever saw one. Virtually every piece of spyware on the internet works this way.

Your only valid point here as far as I can tell is Number 2, and that has far more to do with the installed user base than anything else.
0 Votes
+ -
Thief
Jkirk3279 Updated - 22nd May 2009
" If you are thief looking to score big do you look at the local corner
drug store, or the major bank across the street?"

If it was me, I'd look for the softest target. It's not very smart to go
for a big score against a hard target.

That major bank will have armed guards, and alarm systems.

While the corner drug store would have lots of resalable drugs easily
worth thousands (oxycontin, for example), no armed guards, no bank
vault on a timer, and while it's possible they might have silent alarms,
I doubt it.


Hackers go for the soft targets.

Except for Charlie Miller of course, who sat on a vulnerability for a year so he
could win another Mac laptop.


Windows has better security features because it NEEDS them.
0 Votes
+ -
Mac doesn't have the market share to be hacked
baileysc 4th Mar 2009
The reason that the Mac hasn't been hacked very often in the wild is the same reason that OS/2 didn't get hacked back when it was around - it just doesn't get the hacker any credit. The most popular OS that will get the most publicity is always the one that will get the most attention from hackers.

Security on an Apple machine is a joke, and will be until they get enough market share that the hackers will actually pay attention to it. What is a more of a concern is that Apple is starting a very bad trend of not bothering to listen to their users. They are slow to patch software being complained about, aren't adding blue ray to the Mac, won't release an unlocked iPhone, and push Safari on users through their Apple update software (unless you watch and remember to uncheck it). I'm not sure if this is the result of Steve Jobs not being as on the ball (with everything else going on in his life) or what, but it is alarming.

I don't slam Apple hardware, although the move to Intel chips was dispappointing. I do slam the fact that they do not officially allow their OS to be installed on clone machines, as they charge way to much for their hardware for the most part and some competition in their hardware market would do a nice job of driving this down.
0 Votes
+ -
RE: Pwn2Own hacker: Apple Safari is 'easy pickings'
birumut Updated - 3rd May 2011
Great !!! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix