That didn't take long. One day into the
Pwn2Own hacking competition at CanSecWest and already Apple, Microsoft, and Mozilla have been sent packing to their respective labs to work on security issues in their browsers. In a repeat performance,
Charlie Miller pocketed a $5,000 cash prize and a fully-patched MacBook by splitting it wide, and gaining full control of the device after a user clicked on his malicious link. Another white-hatter by the name Nils (pictured) toppled Internet Explorer 8 running on a Windows 7 laptop -- again, the five grand and compromised VAIO P laptop are now his to keep as compensation for turning over the malicious code. So much for "
protection that no other browser can match," eh Mr. Ballmer? Nils then demonstrated a second Safari exploit before hacking Firefox later in the afternoon netting him a cool $15k by the close of day one. Only Google's Chrome was left unscathed -- Opera isn't part of the contest. This year's contest will also offer a $10,000 prize for every vulnerability successfully exploited in Windows Mobile, Android, Symbian, and the iPhone and BlackBerry OSes. In other words: this contest that runs through Friday isn't over by any stretch.
[Via
ZDNET]
posted March 19th 2009 5:59AM
Sad =( No love for Opera. I guess that means I don't need to be as afraid of the internets now.
but perhaps the internets should be affraid of you?
hm, no Opera? Two possibilities: 1. It's too difficult, they knew no one could hack it in this time frame -> not interesting -> no Opera in this contest. 2. hackers think that only a few users use Opera, maybe only users who know their system, so it's not interesting again.
In the end this means, Opera is the best browser, because no hacker cares about Opera or no one is able to hack, or it's just too difficult, it at the moment.
Regardless of these facts is Opera the best browser in my opinion and now even the safest, just great. :p
I am sure Opera being the one out is going to take this to the EU...
Opera probably came from Soviet Russia.
Hey, it's not over till the fat lady sings.
Frank, that is horribly flawed logic
@ frank
Apparently, opera doesn't have the best spelling or grammar check...
@Frank
What about the possibility that the organisers thought Opera's security was a total joke, and couldn't afford to pay out on all the exploits?
I'm just saying, that would also explain Opera's absence. But your logic works, too. Feel free to believe yourself invincible.
Suggested further reading -> http://dvlabs.tippingpoint.com/blog/2009/02/25/pwn2own-2009 You will note the discussion surrounding Opera's not being there by the organizers down in the comments section. Was that so hard?
Opera is an exellent browser as far as security is concerned, the only thing is you cannot invite all the browsers to this kind of competition, so they only pick he ones with the higher market share.
As it is an american thing, they consider the American market as a good image of the world's market (which is obviously not true) so they didn't pick Opera, whereas it has around 5% market share in europe for exemple (where safari has less than 3%).
opera is pretty popular here too... well im in Canada, and almost everyone in my school either uses opera, or has it installed on their computer just in case their firefox craps them out. then again i go to a tech school. dont the compnay's have to pay the organizers too because they want to find out exploits so that they can patch them? maybe opera couldnt afford the bill.
Did you have to censor his crutch because he was exposing himself :p
...quite small area blanked out :( poor fellow.
I think you meant crotch, you silly boy.
It's his nametag, geesh
Serious troll is serious?
It was an attempt at humor you silly people.
No, I think you were right the first time when you said 'crutch'
It explains why his right hand is in such an akward position, and why his right leg seems blurry.
ZOMG CONSPIRACY.
"Internet Explorer 8 running on a Windows 7 laptop -- again, the five grand and compromised VAIO P laptop are now his to keep as compensation for turning over the malicious code. So much for "protection that no other browser can match," eh Mr. Ballmer? "
its beta i think....???
is it not biased?
Plus 1 to you Sir.
It came out of Beta today!!! It's released.
That's engadget for you, they don't say how IE8 was breached probably because it was harder than the breach in Safari on OSX that was first to fall.
A Malicious link is all it took to bring down glorious Apple programming.
You're on a news blog, why would it be required to be unbiased?
Also, there's no such thing as an unbiased news source, not even close.
WinMo? Pluuuhleeeez. Isn't WinMo an exploit by definition?
It's only biased if the article doesn't mention that Safari was compromised within seconds and was the first to be targetted by all the hackers. Oh. I see what you mean.
+1 would love to see if the vuln applied to the RTM'd IE 8 on a fully patched vista machine! would also love to see the user clicking yes to a bunch of Active X warnings etc or did they have to put it into the trusted sites?
Mark's right. Safari was breached in less than a second. All it took was a click on a button and it was over. A beta browser on a beta OS took longer to hack and lets not forget that Safari was pwned just as quickly last year. But hey, why ruin a good story with the sorts of details that could ruin a great sponsorship deal. Tell me Engadget, how can I whiten my yellow teeth?
What does it mean that it was "breached within a second"? Don't you think these guys, eh, _prepared_ their hacks beforehand? Mac was probably the first target because it's the most interesting - will generate the most news etc.
It's not surprising it was compromised either because QuickTime alone has the potential for a few thousand more exploits. Unless Apple sandboxes Safari, it's not going to be secure.
What will be really interesting is whether the iPhone will be hacked. That's a different beast entirely, and all iPhone apps are sandboxed. Sandboxing means you can't compromise the system via a single app - not even mobile Safari. It's the only security concept that can work, and the iPhone is the only OS / device that has it.
They prepared beforehand for everything, not just for Safari.
It may be beta, but IE final was just announced, so it can't be that far from final code. They don't rush around patching holes as the last things they do before they slap the RTM sticker on it. They've branched long before that.
Besides, we don't know what version of Safari was used. It might have been the Safari 4 beta.
@nikster: Actually, sand-boxing is present in most modern operating systems.
@nikster
Actually the man who actually did the breach said that his reasoning behind going after the mac first was that the others were too hard, he even thought they wouldn't be breached (even though they were)
nikster, of course Miller's hack was prepared. He publicly stated about a week ago that Safari was easier to crack than the other two and probably had a number of solutions that could do the job. What should really worry you is that Safari is such a joke from a security point of view that the same hacker who broke Apple last year can state he'll do it again a week before the event and then do exactly that with no attempted defense from Apple. At leasr IE and FF put up a fight.
Safari was hacked last year - after a whole day where they couldn't. And then they had to type in the Admin. password after they had relaxed the rules. And they had to have a physical connection to the computer. Couldn't do it from a remote computer. Oh yeah, that really shamed Apple. Uh huh.
The contest's credibility is suspect at best, or more likely crap. Did they even bother to have the original rules this year? Or would they get in the way of giving Safari, Firefox and IE8 a Nelson-like "ha ha." Let's not even talk about how clicking on a link the guys' had weeks and weeks to prepare is hardly hacking in a second.
I'll have to read up on how it actually went. Because lord knows we're not going to get all the facts that might be inconvenient in tell us exactly how IE 8, Safari and Firefox were ACTUALLY happened, and how it actually applies to how we use our browsers on a daily basis.
Why don't all you bozos casting aspersions without knowing the facts admit you don't really want the facts that makes such an event way more boring than frightening.
@Eric: where did you buy your tinfoil hat?
ok safari has a *feature* that executes a file after it has been downloaded without user intervention. It has been a problem for a while and it allows for a computer to be compromised provided that a user clicks on a link. Of course there is a mechanism that asks you if you really want to run the application that you downloaded from the Internet but you can usually trick a used to click in both cases. This is hardly a security fault thought. This is a feature that can be exploited and can easily be turned off if you chose to do so. I would recommend that every Mac user turns off that feature and manually run applications when he/she really needs to. Why Apple chose to keep is as the default behavior is beyond me. As far as IE 8 goes it is hardly a bias review since Balmer has a really huge mouth and it's only fair to judge the software in the same manner as it gets advertised. So the bottom line is that a moron with a browser can really shoot him/her self in the foot. But of course that is nothing new ...
Anyway this has absolutely nothing to do with OS security because it is the browser that ended up getting compromised and not really the OS. Oh and just because Windows 7 is still in beta stage does not mean that you shouldn't include it in tests. It's good to have an idea of what the future might hold for your computer.
@KarlW:
The exploited used to pwn the IE8 Beta actually DOESN'T work in the IE8 RTW on a fully patched Vista. There is an article on the Pwn2own website. So, in all actuality the exploit was already fully patched by the time anyone demonstrated it.
No one is safe.
Oh wait, if users stop being stupid and don't click on everything they see, then they might be.
Also, NoScript.
crap
chrome???? THE OPEN SOURCE BROWESER was the safest??????
I mean I love it, but something's wrong there. Maybe they didn't try hard enough?
Yea, after all chrome is just based on webkit
But the contest isn't over it seems.
or maybe its because it new.. i imagine hackers will know the in's and out's of safari, ie and firefox as they been around so long...
Well with google making it's massive advertising all over the net, i think they paid off the hackers not to hack chrome..
In theory, an open source project is quite likely to have up-to-the-minute fixes, since so many people are constantly poring over the code trying to find problems.
Seeing as they have forever to prepare these exploits before the "contest" and get them working – hence everything falling the first day – then I guess noone cared about Chrome.
I'm not at all surprised. Look at last year's Pwn2Own, where the three major OS styles were on trials: Windows Vista, Mac OSX, and Ubuntu Linux. OSX was hacked in the first few minutes. Vista was also taken down, but the open-source Ubuntu was never taken down. I recall reading that one hacker said something along the lines of "we could have hacked it, but it wasn't worth the $10,000 prize," (I'm paraphrasing).
That says a lot for the potential in open source security, espeically considering Ubuntu is considered to be one of the relatively insecure Linux distributions.
Open source software usually tend to be more secure...
The most secured OS in the world is OpenBSD which is Open source.
Open source software tend to be more secure because several (group of) people read the code from a different point of view whereas a team of devellopers working on a project all together will all see the code the same way.
Much better way to discover vulnerabilities.
God! Thomas. Some of you guys at Engadget need to be punched on the face with a full load of "how not suck up to Apple so much". Grow the hick up!
Reading.Fucking.Comprehension.Fail!
From the title of the article: All three browsers hijacked and exploited on day one.
From the text of the article: All three browsers failed miserably, oh, and BTW, a few hours ago Balmer came out and made a wild statement that has just been proven wrong.
I know you need a daily anti-apple/anti-engadget/go-winmo rant a day, but lay off the meth and read the actual article instead of sounding like a complete paranoid tool...
Yes, I don't understand the complaint with the article. It simply pokes fun at Microsoft because this news coincides with statements made by Microsoft's CEO regarding IE8 that is being launched today. It seems fair enough to me. I mean, the author is hardly ignoring that an Apple product was compromised.
Take a breath and chill out. I mean, it's not like this is something important. If you want to get annoyed about something that actually matters, get annoyed at AIG.