There's a hole in Safari, dear Liza
Update: Thanks as well to everyone who pointed out that we got our sources mixed up! The article linked is the 2007 CanSecWest, and we apologize for the confusion. The winner of the 2009 competition was Charlie Miller (sorry Charlie), and you can read more about this year's competition here -- IE8 and Firefox have also been compromised in the competition. If you're curious about the state of Mac security and exploitation, be sure to check out Dino Dai Zovi's presentation here.
Special thanks to Chris von Eitzen at The H, and to everyone else who let us know!
---
Another year, another Pwn2Own at CanSecWest and Safari falls... in a short time. Well, to be fair, Safari fell after 24 hours and "... a couple of seconds" give or take a few. On day two of the event the "attack surface" widens -- that is, hackers are given more ways to hijack the machine. In this case, it wound up being a hole in Safari. As the barrier was lowered, an email was sent to the judges, who clicked on it, and that link took them to a special page that exploited the vulnerability. The exploit was discovered by Dino Dai Zovi who, "wrote the exploit overnight in about 9 hours" as MacDailyNews reports. Dino was assisted on the ground by Shane Macaulay. As yet, we haven't seen this in the wild and the hole has been properly disclosed to Apple.
As Download Squad notes, Firefox and Internet Explorer 8 were taken down some time later. Before declaring Safari "less secure" then those browsers, it is important to note that the hole has been reported to Apple, who need only issue a patch to fix it. Further, the exploit that took Dino 9 hours to write isn't publicly available. That said, it stresses the importance of installing browser patches and security updates for your machine. The best part about finding these exploits at events like CanSecWest is that they help make Safari, and every other browser, more secure.
Thanks to everyone who sent this in!
Share
Categories
Update: Thanks as well to everyone who pointed out that we got our sources mixed up! The article linked is the 2007 CanSecWest, and we...
Add a Comment
The key is default configuration. That is firewall disabled, Safari automatically opening downloaded files, no webkit or Safari 4.0B, and a host of other things that are often changed over time. Using a stock installation, MacOS X is not the most secure by any means. However, if you have taken precautions and tricked your machine with the variety of tweaks and changes that have been recommended over time, you can go to some brazenly insecure sites and come away shaken only a little.
March 21 2009 at 1:51 AM Report abuse Permalink rate up rate down Replyso one question not answered yet...was this on safari 3 or the new safari 4 beta? is the exploit open on both versions? maybe its already been patched in safari 4.
i didnt see that in any of the rules...
So many of you bashing Safari but as long as you are running Firefox that's OK. But running IE as an alternative? Using IE means supporting Microsoft. Microsoft virtually has a monopoly with Windows/Office which are some of the most profitable products available. Among others they even lobby governments to get their own way, and they do. IE is a good browser as are the others but there no way I will advertise it because of who owns it. The more support the others get, the better they will become and the technology will advance quicker for all.
@Zactu Not saying we should go out and support IE, but why is it (even with the so-called "biasedness" or whatever nonsense) that Safari fell, but Chrome was left standing?
In the end, it doesn't matter, b/c Apple needs to keep up with these security issues, as well as the community needs to stop being a bunch of apologists and look at things in a more realistic light.
Again, CHROME WAS LEFT STANDING.
"Massive amounts of applications are incompatible with it."
[citation needed]
"Before declaring Safari "less secure" then those browsers, it is important to note that the hole has been reported to Apple, who need only issue a patch to fix it."
I get the funny feeling this same courtesy would not have been extended to those other browsers in this post had one of them fallen first this year.
What applications? Ones that are standards compliant (being in IT you should know all about standards) or ones that aren't?
Only two browsers are fully standards compliant; Opera (I think that includes the latest version) and Safari.
And I don't see how Safari can be ugly when IE is a confusing mess and Firefox doesn't use a native UI.
isnt it "theres a hole in the buckey dear elijah"? that song from the 90's?
March 19 2009 at 7:35 PM Report abuse Permalink rate up rate down Replyu ppl take urselves too serious, get off the matrix for awhile the real world ain't that bad.
March 19 2009 at 6:29 PM Report abuse Permalink rate up rate down ReplyThe MacDailyNews link in the article above is from 2007. This year's Safari crack was by Charlie Miller:
http://macdailynews.com/index.php/weblog/comments/20497/
And once again people like dastranger completely miss the point. Did you not read the part about need to have somebody sitting locally in front of the Mac and physically clicking a link in an email to get to the exploit in the first place?
Does that sound like a real life situation to you? Is a hacker going to call you on your phone and ask you if you're sitting on front of your computer and would you mind terribly clicking on the link he's going to send you in an email? Has that ever happened to you in real life?
Don't be stupid about this. Yes, there was an exploit found in Safari. No, it cannot be exploited in the real world. Not unless somebody sends it to you in an email and you decide to not only click on it, but then enter your admin password a couple times. That's called social engineering, and no platform is immune to that.
It's good to find holes in Safari so Apple can patch them. It's not good to spread ridiculous FUD about how insecure the Mac is when it's not even close to being true. Buy a clue please, thanks.
Hot Apps on TUAW
Deals of the Day
more deals- Verizon Leather Sleeve for Tablets for $4 + free shipping
- Wicked Jaw Breaker Noise-Isolating In-Ear Headphones for $6 + free shipping
- Refurb Apple MacBook Air Laptops: 12" 64GB SSD for $699 + free shipping
- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
- Apple iPhone Headset with Mic for $4 + $2 s&h
- Refurb Apple iPod nano 8GB MP3 Player for $99 + free shipping, 16GB for $119
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
36 Comments