toggle

AAPL Stock: 112.01 ( -0.53 )

Printed from http://www.macnn.com

IE8, Safari and Firefox all hacked at Pwn2Own

updated 04:25 pm EDT, Thu March 19, 2009

Pwn2Own results

On the first day of the Pwn2Own contest at the CanSecWest conference, hackers successfully compromised fully-patched copies of Internet Explorer 8, Safari and Firefox, according to ZDNet. A MacBook running Safari was hacked in seconds by Charlie Miller, winning him the notebook and a $10,000 purse. His previous performance was also impressive, requiring just minutes to take control of a MacBook Air.

An individual known as Nils was able to hack a Sony Vaio running Windows 7 and a patched version of IE8, Firefox and Safari. He also took advantage of vulnerabilities in Firefox and Safari, winning a cash prize and the Vaio notebook.

Company representatives were present to view the exploits. Terms of the contest require that the vulnerabilities remain undisclosed until the software companies have a chance to release a patch.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. Mr. Strat

    Joined: Dec 1969

    +2

    Unimpressed

    Show me someone hacking in without admin rights...without physical access...then I might be impressed. Pulling a cheap trick that relies on PEBCAK...BFD.

  1. martinX

    Joined: Dec 1969

    -1

    Great contest

    This gives white hat hackers a chance at (a) remuneration and (b) kudos. Might help keep people away from the Dark Side.

  1. Zkatz007

    Joined: Dec 1969

    0

    Repeat?

    Didn't this already happen? And weren't @Mr. Strat's arguments stated then, too?

  1. lkrupp

    Joined: Dec 1969

    +3

    The only problem is...

    The various tech media a reporting ONLY that Safari was compromised. They aren't mentioning the other browsers. Only Mac media sites are reporting that all three browsers were hacked. I wonder why that is?

  1. johnsonua

    Joined: Dec 1969

    +5

    Hardly 'just minutes'

    They were allowed to do all the work in advance, finding the exploit, crafting a web page to take advantage of it and the on-scene 'exploit' consisted of the winners directing the people at the keyboards to "click on the link here, please".

    This is merely cheap gimmicry.

    When he can attack a Mac without having the user unlock the front door for him and invite him in, then it will be newsworthy.

  1. mgpalma

    Joined: Dec 1969

    -1

    Newsflash

    My house can be broken into and everything valuable stolen in just 5 minutes...as long as the alarm is disarmed and the front door is unlocked.

    yawn

  1. testudo

    Joined: Dec 1969

    -1

    Re: newsflash

    Not the same thing.

    If they logged into the computer as an admin, left it on, walked away, and then someone else walked up to the machine and claimed "I hacked it!", then that would be the same thing.

    Almost every windows flaw and piece of malware is due to social engineering. Trying to get people to go to web-site A to get some video codec to see Britney spears having L****** s** with justin timberlake. Or convincing them that they need to download the latest flash plug-in (and browsers making that so much easier to con people, as users now expect the browser to install it for you, rather than downloading it yourself, then finding the disk image, opening it up, and then running the installer).

  1. testudo

    Joined: Dec 1969

    -1

    oh

    And if the article was all about how IE 8 was 'hacked' in the same manner, everyone here would be chortling about how insecure MS software is and such, and not defending it as a social engineering issue.

  1. fubar_this

    Joined: Dec 1969

    0

    Social engineering==real

    I don't know why EVERYBODY thinks that social engineering attacks don't count. That's ALL THAT EXISTS ON WINDOWS. Look it up. The last self-spreading attack on Windows occurred in 2006 (and it was caused by QuickTime ironically enough).
    Self-spreading malware has been eliminated due to software firewalls and egress filtering. But malware that spreads by asking users to click on a link is very much real, and very very real on the Mac.

    Safari/WebKit/QuickTime have had over 70 vulnerabilities every year since 2005. That's not an insignificant number, and in some years it topped Internet Explorer's vulnerability count.

    Social engineering attacks are very real. Nearly EVERYBODY runs their Mac as admin, and Mac users are no more or less likely to be susceptible to a social engineering attack than a Windows user. Why do you think Apple added anti-phishing and other anti-social engineering meausres to Safari recently?

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lackin ...

toggle

Most Commented