Filed under: Security
There's a hole in Safari, dear Liza
Update: Thanks as well to everyone who pointed out that we got our sources mixed up! The article linked is the 2007 CanSecWest, and we apologize for the confusion. The winner of the 2009 competition was Charlie Miller (sorry Charlie), and you can read more about this year's competition here -- IE8 and Firefox have also been compromised in the competition. If you're curious about the state of Mac security and exploitation, be sure to check out Dino Dai Zovi's presentation here.
Special thanks to Chris von Eitzen at The H, and to everyone else who let us know!
---
Another year, another Pwn2Own at CanSecWest and Safari falls... in a short time. Well, to be fair, Safari fell after 24 hours and "... a couple of seconds" give or take a few. On day two of the event the "attack surface" widens -- that is, hackers are given more ways to hijack the machine. In this case, it wound up being a hole in Safari. As the barrier was lowered, an email was sent to the judges, who clicked on it, and that link took them to a special page that exploited the vulnerability. The exploit was discovered by Dino Dai Zovi who, "wrote the exploit overnight in about 9 hours" as MacDailyNews reports. Dino was assisted on the ground by Shane Macaulay. As yet, we haven't seen this in the wild and the hole has been properly disclosed to Apple.
As Download Squad notes, Firefox and Internet Explorer 8 were taken down some time later. Before declaring Safari "less secure" then those browsers, it is important to note that the hole has been reported to Apple, who need only issue a patch to fix it. Further, the exploit that took Dino 9 hours to write isn't publicly available. That said, it stresses the importance of installing browser patches and security updates for your machine. The best part about finding these exploits at events like CanSecWest is that they help make Safari, and every other browser, more secure.
Thanks to everyone who sent this in!
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
ds said 2:35PM on 3-19-2009
So, time to call Henry on the Safari Dev Team. See if he can get some straw, though I'm not sure how to cut it...
Reply
Howie Isaacks said 2:46PM on 3-19-2009
Big deal! The "test" was not done under real world circumstances. It is therefore invalid. How much publicity is this going to get?
Reply
dastranger said 2:53PM on 3-19-2009
Gotta love apologists.
Get over it, Safari was owned.
Howie Isaacks said 3:03PM on 3-19-2009
I'm not an apologist. I just don't see the point hammering away at the exploit that was found. No browser is totally secure but, I think this guy has something against Apple and Safari. That's why I have a problem with constantly broadcasting this crap everywhere.
dastranger said 3:09PM on 3-19-2009
@Howie Isaacks That still doesn't excuse the fact that Safari lost first. It still doesn't excuse the fact that the exploit was a KNOWN exploit by Apple that has YET to be fixed.
FearlessFreep said 3:13PM on 3-19-2009
Looks like the rules from the CaSecWest link are pretty 'real-world-ish.' But you're missing the point here entirely - events like this serve as a controlled check and balance for software so that exploits can be identified and summarily patched. The goal isn't to expose Safari or Firefox or any other browser as bad, per se. It's to help the security and software community make their applications stronger. And that, is a good thing. Note, too that Firefox and IE 8 were also both summarily exploited.
JKT said 2:59PM on 3-19-2009
"it is important to note that the hole has been reported to Apple, who need only issue a patch to fix it."
Isn't this true of any security hole?!?
Reply
Victor Agreda, Jr. said 3:08PM on 3-19-2009
I think it's important to stress that point to people who might not be familiar with security patches, or even nervous about them. Often people see this and scream about Safari being "less secure" than other browsers. All browsers have holes, and that's why we have stuff like Pwn2Own -- everyone could use help finding vulnerabilities and fixing them.
Geth said 3:11PM on 3-19-2009
at #4: you're basically on an apple fan-blog. Did you expect posts to be unbiased? ;)
Reply
dastranger said 3:30PM on 3-19-2009
Well, I am one of those Apple fans, but I recognize when something needs to be fixed. It seems as if the ENTIRE Apple community "gets their panties into a bunch" when something like this happens. It just goes to show that no OS, browser is completely safe, yet time and time again the entire community constantly tries to come up with excuses.
Guess what guys, it doesn't help, and just makes us (Apple fans) look worse.
Shane said 3:11PM on 3-19-2009
What this article fails to talk about is what the outcome of the security flaw is. Does the entire OS become vulnerable (doubt it), does it just crash the browser? Does it provide root access? Does it invert and mirror the monitor?
One of the primary reasons OSX is so secure is that while the individual components may get compromised, the system as a whole does not. I don't think this is as big of a deal as some may think.
Reply
oedipus said 4:58PM on 3-19-2009
Actually, the rules are pretty laid out beforehand. In order to win, you must successfully execute code on the machine, whether or not it has root access or just user privileges, I don't know exactly:
http://dvlabs.tippingpoint.com/blog/2009/02/25/pwn2own-2009
Rules
The browser targets will be IE8, Firefox, and Chrome installed on a Sony Vaio running Windows 7 as well as Safari and Firefox installed on a Macbook running Mac OS X. All browsers will be fully patched and in their default configuration as of the first day of the contest. The mobile device targets will include fully patched BlackBerry, Android, iPhone, Symbian and Windows Mobile phones in their default configurations. A full list of available interfaces will be made available on the CanSecWest website under the Pwn2Own rules.
To participate in the contest, you can choose either or both technologies and must generally prove successful code execution. A contestant may only win one prize per flaw (e.g. if he is able to pwn a browser and a mobile device using the same flaw, he has to choose one to go after). Winning entries against the browsers include exploits which require no user interaction outside of a single click on a malicious link. Winning scenarios against the mobile devices include attacks that can be exploited via email, SMS text, website browsing and other general actions a normal user would take while using the device. Physical access will not be granted to the mobile devices, and proving successful exploitation of one of the mobile devices will be verified by our team of hardware hacker judges on the ground at the event.
William said 12:03PM on 3-20-2009
They actually do take over the Mac that is running Safari.
Geth said 3:12PM on 3-19-2009
Sorry, I must've gone blind or something... #4 should be #3
Reply
ChrisF said 3:42PM on 3-19-2009
Nice Spearhead reference :)
Reply
Zak said 3:43PM on 3-19-2009
And once again people like dastranger completely miss the point. Did you not read the part about need to have somebody sitting locally in front of the Mac and physically clicking a link in an email to get to the exploit in the first place?
Does that sound like a real life situation to you? Is a hacker going to call you on your phone and ask you if you're sitting on front of your computer and would you mind terribly clicking on the link he's going to send you in an email? Has that ever happened to you in real life?
Don't be stupid about this. Yes, there was an exploit found in Safari. No, it cannot be exploited in the real world. Not unless somebody sends it to you in an email and you decide to not only click on it, but then enter your admin password a couple times. That's called social engineering, and no platform is immune to that.
It's good to find holes in Safari so Apple can patch them. It's not good to spread ridiculous FUD about how insecure the Mac is when it's not even close to being true. Buy a clue please, thanks.
Reply
Dave said 4:04PM on 3-19-2009
Exactly.
The weakest link is always the end user, in any OS. So, as always, don't be stupid and you'll get by just fine.
bugster said 6:41PM on 3-19-2009
If you read oedipus' post you'll see it was very real world, the rules only allow a single click on a link in a webpage using the browser provided, NO extra authorizing a download, NO entering of your password and the exploit must execute its code from that single click.
If the exploit works according to the rules then any link on any webpage could be dangerous, that's not social engineering, that's a mine field. Remember IE5, BHOs and half the sites on the internet installing malware without any notice?
I know I'm exaggerating a bit, but single link, no authorization exploits are seriously bad.
The one thing in the rules that troubles me is that they use Safari as its installed by default, does anyone remember if a new install has "open safe files after downloading" checked or unchecked? If checked is standard then the exploit may play on that, but that's been a known vector for a long time.
Zak said 7:58PM on 3-19-2009
Bugster: what? It says right there in the article that somebody sitting in front of the Mac had to click a link in an email to get it to run. That is called social engineering. Period. As in, nothing will happen if YOU don't click that link.
Wake me up when somebody is able to actually hack into a Mac remotely. You know, without needing your permission to do it.
Patrick J-Whitty said 3:56AM on 3-20-2009
Of course it's a real world situation. There are plenty of users that will just click on a link sent to them in an email, even if it is from someone they don't know. How do you think viruses spread so quickly on Windows? It's because of stupid people doing stupid things. Just because you know better than to click on that link doesn't mean that the rest of the population does.