Pwn2Own MacBook attack: Charlie Miller hacks Safari again

Pwn2Own MacBook attack: Charlie Miller hacks Safari again

Summary: For the third year in a row, Charlie Miller has hacked into a MacBook by exploiting a critical Safari browser vulnerability.

SHARE:

VANCOUVER, BC -- For the third year in a row, Charlie Miller has hacked into a MacBook by exploiting a critical Safari browser vulnerability.

At the CanSecWest Pwn2Own hacker contest here, Miller performed a clean drive-by download against Safari to get a full command shell on the MacBook.

[ ALSO SEE: Hacker exploits IE8 on Windows 7 to win Pwn2Own ]follow Ryan Naraine on twitter

In the attack, Miller set up a special Web page with the exploit.  Using Safari, a conference organizer surfed to the Web page and watched and Miller took control of the machine.

Details of the vulnerability are being kept under wraps until Apple releases a fix.  TippingPoint Zero Day Initiative (ZDI), the contest sponsors, will handle the process of reporting the issue to Apple.

Miller, who uses fuzzers to find security vulnerabilities, is slated to deliver a conference presentation on fuzzing techniques against popular software products.

[ ALSO SEE: Pwn2Own 2010: iPhone hacked, SMS database hijacked ]

More to come...

Topics: Apple, Hardware, Laptops, Mobility, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

80 comments
Log in or register to join the discussion
  • Hackers always go after low hanging fruit first

    We are told this time and time again. So, using
    [b]Apple cultist logic[/b], the easiest mobile
    phone to hack is the iPhone and the easiest
    browser to hack is Safari. Makes me glad I don't
    use either of those security sieves.
    NonZealot
    • Great Point Except...

      They had a lottery as which order they would take the machines down.
      They say lottery but the iPhone came out first in line... which is
      convenient for them from a publicity point of view...
      jgpmolloy
      • Please see 2.1 {nt}

        ;)
        WinTard
      • RE: Pwn2Own MacBook attack: Charlie Miller hacks Safari again

        @john@... That's true but NonZealot's point is still true. By Charlie M's own admission they take the low hanging fruit first regardless of which device is first to be hacked. Charlie M considers Apple's safari an easy hack.
        DevGuy_z
    • These are not hackers, they are security experts - are you that dumb

      [i]Hackers always go after low hanging fruit first
      We are told this time and time again. So, using
      Apple cultist logic, the easiest mobile
      phone to hack is the iPhone and the easiest
      browser to hack is Safari. Makes me glad I don't
      use either of those security sieves.[/i]

      Yet again you obviously miss the point and make outrageous claims.

      Hackers go after the money.

      Pwn2Own contestants are not hackers, they are the people who work
      to stop hackers.

      A bit like the difference between an Anti-Terrorism consultant and a
      terrorist.

      Terrorists blow people up, they go after those they wish to blow up,
      and target those they can blow up easiest.

      Anti-Terrorism consultants get paid big money to find ways to stop
      the hard to reach targets from being hit.

      So if this was a terrorism related competition, the big prize would be
      to hit the target with the best security.

      And this outcome would not validate any statements about the targets
      of suicide bombers.

      You are either a fool, or have an agenda in these statements, which is
      it?

      And your clever security threat assessment is clearly borne out by the
      number of infected PCs, and the lack of infected Macs, isn't it?
      richardw66
      • You completely missed the point... by a country mile.

        The thing is - it doesn't matter WHO or WHY it got hacked.

        The point is - The bloody thing got HACKED. Period.

        Yes, it's all very well and good that the folks who hack at CanSecWest are security researchers and not some Romanian or Russian bad guys who are out to build a botnet or some such. God help you guys if you they weren't quite so honest.

        You'd be making a royal mess in your undies if this stuff ever got out into the wild and got into a crimeware gangs' collective hands - AND if anyone in one of those gangs ever gave a flying fig about the Mac.

        What's even worse... Apple released a slew of patches in the past couple of weeks that were all security related. And it STILL got pwned!

        The bottom line of the article obviously didn't sink in all the way -

        "At the CanSecWest Pwn2Own hacker contest here, Miller performed a clean drive-by download against Safari to get [b]a full command shell on the MacBook." [/b]

        That sounds to me a lot like ROOT level access. We keep hearing that's supposed to be impossible. And yet, it still happened.
        Wolfie2K3
      • lol wow

        Since when the hell was a "hacker" defined as someone who takes advantage of security exploit only for the money? A hacker is anyone that takes advantage of a machine or network by using vulnerabilities in software.
        ChrisHacken
      • RE: Pwn2Own MacBook attack: Charlie Miller hacks Safari again

        @richardw66 1) They themselves will call themselves hackers. White hat hackers but hackers none the less. If they call themselves hackers, then NonZealot can too.
        2) Charlie Miller explicitly claims to go after low hanging fruit. Search around and you won't find interviews with him hard to find.
        3) The reason they go after the low hanging fruit is that there is money in finding an exploit (again this based on interviews with the contestants) and they save their best exploits for where they can get money.
        4) There have been successful in the wild attacks against macs and linux. Many years ago a guy challenged the world by putting a fully patched Mac outside a firewall and challenged the world to hack it. It fell within 30 minutes.
        5) Macs are not as interesting targets because Apple really doesn't do servers and servers are the primary targets of hacks.
        6) BSD on which OS-X based was found to have a back door that went un-noticed for over a year.
        DevGuy_z
    • "Hacker exploits IE8 on Windows 7 to *win* Pwn2Own" so yes you're right.

      http://blogs.zdnet.com/security/?p=5855&tag=col1;post-5836

      You're awfully quiet on that thread. Wonder why.
      macgroover
      • good catch, you found an incorrect title

        This hack didn't "win" pwn2own, for starters the prize won is only 10k, compared to 15k for the iPhone SMS hack.

        http://blogs.zdnet.com/security/?p=5836
        rtk
  • That is why Windows 7 fell the fastest.

    Sorry NonZealot. Charlie did not win. The win went to IE 8
    and Windows 7 (64 bit).

    Yep, lowest hanging fruit did win.
    Bruizer
    • Quote you Bruizer, "Yep, lowest hanging fruit did win."

      Sorry Bruizer but this is exactly how it happened:

      [i]http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010

      Here are the results, in order:

      1.PWNED! Vincenzo Iozzo and Ralf Philipp Weinmann - iPhone
      2.PWNED! Charlie Miller - Safari
      3.Nils - Safari (Prize Claimed)

      4.PWNED! Peter Vreugdenhil - Internet Explorer 8
      5.MemACCT - Internet Explorer 8 (Prize Claimed)

      6.Anonymous - Nokia
      7.Anonymous - iPhone (Prize already won)
      8.PWNED! Nils - Firefox
      Competition Results (still in progress)

      Vincenzo Iozzo and Ralf Philipp Weinmann succeeded in exploiting the iPhone in the first time slot. They exploited a 0day Safari vulnerability with a payload which retrieved the text messages from the device.

      As the luck of the draw would have it Nils on Safari, MemACCT on IE 8 and Anonymous on iPhone lost their time slots as the prizes had already been claimed. Their vulnerabilities are still eligible for submission through the Zero Day Initiative.
      Tags:
      Published On: 2010-02-15 16:41:27[/i]

      Incredible the FUD+BS Apple zealots spew... But it only works on imbeciles.

      Like you say Bruizer: [i]"Yep, lowest hanging fruit did win".[/i]

      [i]~~~~~~~~~~~
      The game of life is the game of boomerangs. Our thoughts, deeds and words return to us sooner or later, with astounding accuracy.
      ~ Florence Scovel Shinn[/i]
      WinTard
      • Fell the fastest...

        Not in the order. The order was already picked and the iPhone was up
        first. Perhaps you didn't read the rules you linked to?
        jgpmolloy
    • Safari Easier to Hack Than IE8

      According to interviews with the hackers, Miller wrote his Safari exploit in "less than a week" while it took Vreugdenhil "about two weeks" to write the IE exploit.

      It's not how quickly the exploit acts that determines how secure a system is, it's how hard it is to write the exploit that hacks the system.

      But why burden yourself with facts when uninformed opinion is much more aligned with your personal views.
      NameRedacted
      • er, miller does this for a living...

        I suppose you won't count the 3 years he's been doing this as going
        against his 1 week exploit as opposed to 2 weeks from someone coming
        at this fresh then?
        jgpmolloy
        • er, so does Vreugdenhil...

          Only professional security researchers with a reputation for uncovering security vulnerabilities get to participate in these things.

          But again, please feel free to twist the facts around to fit with your point of view.
          NameRedacted
      • How wrong can one guy be?

        "It's not how quickly the exploit acts that determines how secure a system is, it's how hard it is to write the exploit that hacks the system." Dude, I can't imagine you being more wrong on this. It doesn't matter how long it takes to write the exploit, that's something that needs to be done only once. Once the script kiddies have the exploit in-hand, the repetitive nature of pwning machines is where the rubber truly meets the road. And you talk about uninformed opinion...pot, meet kettle.
        jasonp9
        • Look in the mirror and ask yourself...

          As someone who supervises the development of applications for a living, the relative difficulty of a task is measured by how long it takes to complete. You're right that the exploit only neds to be written once, but your argument flies in the face of common sense.

          If it takes a carpenter two days to build one table and four days to build another, the second table was, by definition, harder to build. The same applies here.
          NameRedacted
          • Not the same carpenter

            "If it takes a carpenter two days to build one table and four days to build
            another, the second table was, by definition, harder to build."

            But this was not A carpenter. This was 2 different carpenters.

            You can't compare because you have no idea of the relative skills of the
            two programmers.
            macgroover
      • Not necessarily, since...

        ... the one who took down IE8 specifically stated that he used a
        two-pronged attack simply for the speed, since his single attack
        could had done the job alone. He also stated that he added eye-
        candy to the attack for entertainment purposes.

        What's worse, Windows 7 fell twice, once with IE8 and again with
        Firefox. Where is Windows' vaunted security?
        Vulpinemac