toggle

AAPL Stock: 121.99 ( -1 )

Printed from http://www.macnn.com

IE8, Safari and Firefox all hacked at Pwn2Own

updated 04:25 pm EDT, Thu March 19, 2009

Pwn2Own results

On the first day of the Pwn2Own contest at the CanSecWest conference, hackers successfully compromised fully-patched copies of Internet Explorer 8, Safari and Firefox, according to ZDNet. A MacBook running Safari was hacked in seconds by Charlie Miller, winning him the notebook and a $10,000 purse. His previous performance was also impressive, requiring just minutes to take control of a MacBook Air.

An individual known as Nils was able to hack a Sony Vaio running Windows 7 and a patched version of IE8, Firefox and Safari. He also took advantage of vulnerabilities in Firefox and Safari, winning a cash prize and the Vaio notebook.

Company representatives were present to view the exploits. Terms of the contest require that the vulnerabilities remain undisclosed until the software companies have a chance to release a patch.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. Mr. Strat

    Joined: Dec 1969

    +2

    Unimpressed

    Show me someone hacking in without admin rights...without physical access...then I might be impressed. Pulling a cheap trick that relies on PEBCAK...BFD.

  1. martinX

    Joined: Dec 1969

    -1

    Great contest

    This gives white hat hackers a chance at (a) remuneration and (b) kudos. Might help keep people away from the Dark Side.

  1. Zkatz007

    Joined: Dec 1969

    0

    Repeat?

    Didn't this already happen? And weren't @Mr. Strat's arguments stated then, too?

  1. lkrupp

    Joined: Dec 1969

    +3

    The only problem is...

    The various tech media a reporting ONLY that Safari was compromised. They aren't mentioning the other browsers. Only Mac media sites are reporting that all three browsers were hacked. I wonder why that is?

  1. johnsonua

    Joined: Dec 1969

    +5

    Hardly 'just minutes'

    They were allowed to do all the work in advance, finding the exploit, crafting a web page to take advantage of it and the on-scene 'exploit' consisted of the winners directing the people at the keyboards to "click on the link here, please".

    This is merely cheap gimmicry.

    When he can attack a Mac without having the user unlock the front door for him and invite him in, then it will be newsworthy.

  1. mgpalma

    Joined: Dec 1969

    -1

    Newsflash

    My house can be broken into and everything valuable stolen in just 5 minutes...as long as the alarm is disarmed and the front door is unlocked.

    yawn

  1. testudo

    Joined: Dec 1969

    -1

    Re: newsflash

    Not the same thing.

    If they logged into the computer as an admin, left it on, walked away, and then someone else walked up to the machine and claimed "I hacked it!", then that would be the same thing.

    Almost every windows flaw and piece of malware is due to social engineering. Trying to get people to go to web-site A to get some video codec to see Britney spears having L****** s** with justin timberlake. Or convincing them that they need to download the latest flash plug-in (and browsers making that so much easier to con people, as users now expect the browser to install it for you, rather than downloading it yourself, then finding the disk image, opening it up, and then running the installer).

  1. testudo

    Joined: Dec 1969

    -1

    oh

    And if the article was all about how IE 8 was 'hacked' in the same manner, everyone here would be chortling about how insecure MS software is and such, and not defending it as a social engineering issue.

  1. fubar_this

    Joined: Dec 1969

    0

    Social engineering==real

    I don't know why EVERYBODY thinks that social engineering attacks don't count. That's ALL THAT EXISTS ON WINDOWS. Look it up. The last self-spreading attack on Windows occurred in 2006 (and it was caused by QuickTime ironically enough).
    Self-spreading malware has been eliminated due to software firewalls and egress filtering. But malware that spreads by asking users to click on a link is very much real, and very very real on the Mac.

    Safari/WebKit/QuickTime have had over 70 vulnerabilities every year since 2005. That's not an insignificant number, and in some years it topped Internet Explorer's vulnerability count.

    Social engineering attacks are very real. Nearly EVERYBODY runs their Mac as admin, and Mac users are no more or less likely to be susceptible to a social engineering attack than a Windows user. Why do you think Apple added anti-phishing and other anti-social engineering meausres to Safari recently?

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

Follow us on Facebook

toggle

Most Popular

Advertisement

Recent Reviews

15-inch MacBook Pro with Force Touch

Apple's 15-inch Retina MacBook Pro continues to be a popular notebook with professional users and prosumers looking for the ultimate ...

Typo keyboard for iPad

Following numerous legal shenanigans between Typo -- a company founded in part by Ryan Seacrest -- and the clear object of his physica ...

Entry-level 27-inch Retina iMac

The 27-inch Apple iMac with 5K Retina display is already one of the best value-for-money Macs that Apple has ever released. It was som ...

toggle

Most Commented