Safari used to hijack MacBook Pro at Pwn2Own 2011
A flaw in WebKit, the engine that underlies Safari, Mobile Safari, and several other browsers, was found to be vulnerable in this year's "Pwn2Own" competition, as reported by ZDNet and many others. This is noteworthy for several reasons: first, because the exploit did not use Flash. You will remember that last year's Pwn2Own winner stated "the main thing is not to install Flash" for browser security. Secondly, it is important because WebKit is used not only by Safari but several other browsers, notably several mobile browsers, although it is not immediately apparent whether this same bug could be exploited on a mobile platform. It's also possible that the exploit could make Windows and even Linux computers vulnerable if they are running a WebKit-based browser, but details are not fully known.
Computerworld noted that Google's $20,000 reward for anyone who could break into Chrome on opening day went unclaimed, as the contestant who had signed up did not appear at the Pwn2Own contest. It is unknown whether Google paid to have him assassinated (that's a joke folks, lighten up). Computerworld went on to note that according to the current schedule no one is even going to try to attack Chrome this year, meaning that it could survive a record three consecutive Pwn2Own contests. That is particularly surprising to me since Google Chrome includes its own version of Adobe Flash, but if you're looking to use the most secure browser out there, Google Chrome looks to be your browser of choice.
[via Slashdot]
Share
Categories
A flaw in WebKit, the engine that underlies Safari, Mobile Safari, and several other browsers, was found to be vulnerable in this year's...
Add a Comment
Chrome hasn't been defeated in 3 years.
No one even bothered to try this year.
Those statements are not the same as saying that no one has tried.
The idea that someone has found a flaw in Chrome but hasn't made it public and hasn't wanted to claim a $20,000 reward because they are going to be paid much more by some secretive undercover society is eyeroll-worthy, especially when you consider that there are also no known victims of any of these secret exploits.
So… they're keeping them a secret, hoping that Google doesn't find them and fix them, and not using them… or, they're using them, but they are SOO SUPUR SEKRIT that people DON'T EVEN KNOW they've been the victims of the exploit.
That's the counter-argument.
I dunno, maybe it's just me, but I find it much easier to believe that Google has just done a better job protecting its browser. Mostly because I don't believe that people are going to walk away from $20,000. Could I be wrong? Sure.
If Safari had been unscathed for 3 years running, Mac fanatics would be shouting it from the rooftops.
Actually, you sound like the Mac fanatics from years ago putting forth the argument that since no one has tried, it must be secure. And, I make the same points to them that I make to anyone that sees a lack of visible activity as a proof of security.
From the news today, Google patched 23 security flaws in Chrome 10, 15 of which were deemed critical. Before Pwn2Own, they patched 19 holes in Chrome 9. AND, they were working with security researchers who had found the vulnerabilities and helped Google to patch them. There are surely many more exploits that haven't been reported, and to assume that only responsible security researchers have the skill to find and use them is not realistic.
If the WebKit exploit works in iOS, then jailbreakme.com could come back!
March 10 2011 at 6:19 PM Report abuse Permalink rate up rate down ReplyYeah--but which version? There were several security updates in the last few days.
March 10 2011 at 2:30 PM Report abuse Permalink rate up rate down ReplyIs Safari (or Firefox, or Chrome) more secure than Internet Explorer? I think so. Why? Because people are constantly finding exploits. The argument that keeps appearing in the comments seems to claimt that I can't hold that opinion.
It is always possible that there are undisclosed exploits. There is no way to prove that there aren't (since they're undisclosed). But it's a useless factor since it's equally true of every single browser. We have to make our judgment on security based on other factors.
Chrome *appears* to be more secure than Safari because people were offered fame and fortune (and more fortune for Chrome than Safari) to find a flaw. Nobody came forward to collect the reward for Chrome while somebody did for Safari. Presumably, people tried at least as hard to crack Chrome as they did for Safari. That's a good indicator.
Chrome may not *in actual fact* be more secure. It may have a horrible vulnerability that is so lucrative that it could be exploited to gain much more money than Google offers. On the other hand, so could Safari. Possibile undisclosed vulnerabilities are a useless factor.
Isn't part of the contest that if you hack safari on the MBA, you get the MBA? Isn't that a good prize to aim for? What would the hacker get if he hacked chrome? The Cr48? I feel that this way of giving prizes is kind of biased depending on what prize you want. To be fair the contest should have first, second, and third prizes for who can hack whichever browser fastest. That would be a more fair way of judging which browser is safer.
Either way, the good thing about this is that it allows all browsers to eventually patch up these vulnerabilities.
Even greater, this is the reason why, it's a bad idea to pay for exploits. Because, someone could have been aware of an exploit since late last year, but they sat on it and didn't report it. Meanwhile, if a "black hat" comes up with the same exploit (or finds out about it from the same person), now they're free until March to do whatever they want with it knowing that it's not going to be reported at least until then (and not able to patched until some time later). Prior winners have said that they didn't report the bugs because they hoped to present it at pwn2own and win a prize.
March 10 2011 at 11:19 AM Report abuse Permalink rate up rate down ReplyGoogle was offering an additional $20,000 or so on top of whatever hardware and cash were being offered by the competition.
March 11 2011 at 1:06 PM Report abuse Permalink rate up rate down ReplyFor the record, I'm not making a claim about security (on OSs or browsers); just thought I'd point out the remarkable genius present in most of the comments here.
March 10 2011 at 10:50 AM Report abuse Permalink rate up rate down ReplyIn reply to everyone saying Chrome uses Webkit so it must be exploitable, it's important to remember that Chrome uses a different sort of split-process model. Further, their implementation of Sandboxing is directly related to the split process model. The short version is that two of the most exploitable processes in browser security, HTML rendering and JavaScript interpreting, live in their own processes in Google Chrome, and those are in the "sandbox". Safari, as far as I know, doesn't do that yet. So even though the vulnerability was in WebKit, there's a good chance that Google Chrome isolates that vulnerability far differently than Safari does. I'm not saying that it makes Chrome "better" than Safari, I'm just saying it helps to know the facts before railing against the claims.
I think that the point of the claims was that Google is offering a "superior" reward to crack their browser, but even with the extra incentive nobody tried. Since most of the teams who crack these browsers actually work for months on identifying exploits (these hacks aren't made on the spot at this contest, they are planned out far in advance), the author seems to be implying that even with ample preparation, Chrome is "safer". That might not be the case, but that seems to be the implication.
Lastly, I'm pretty sure it was an Air, not an MBP.
But, imagine the person (or one of the few persons) that know how to hack Chrome AND they're using that exploit currently to skim credit card numbers from users who are assuming they're secure. Are they REALLY going to report it that so Google can fix it and end their revenue stream?
This is the same thing I've thought for some time about OSX. Yes, there are folks that bring forward hacks that basically say "You've got to get the user to do this and you win", but as sure as there's an X in OSX, there are remote exploits to be found, they're just not reported.
These contests are so phony. Too often, the hacked machine has been set up with special rights or the hacker has physical access.
Eh...I guess it makes for something for people to read.
Going to a website caused an application to be launched and a file to be written to the local hard drive.
It's pretty clear this is a flaw.
Whether or not the flaw was fixed in 5.0.4 is another question entirely.
Both a browser rendering engine (the thing that turns HTML into text and graphics) and plugins are very, very difficult to secure. The rendering engine (and JavaScript interpreter) are extremely complex pieces of code. The higher the complexity, the more likely a security flaw will creep in - even when you're careful. In addition, the plugins are written by third parties who have a track record of failed security.
Google Chrome (and, to a lesser extent, IE) use a "sandbox". Chrome walls off the rendering engine and provides a channel to it to send and receive data. The result is that a WebKit flaw can compromise the rendering engine but not the browser and not the computer the browser is running on.
Chrome uses the operating system's native mechanisms for creating that sandbox. Windows can do it, OS/X can do it and so can Linux. So far, nobody in the Pwn2Own community has found a way to circumvent the Chrome sandbox. They _have_ found a way to circumvent IE's sandbox.
The next major revision of the WebKit engine implements a sandbox as well. The reason Safari didn't just incorporate Chrome's version, is that the WebKit developers wanted to move the sandbox into the WebKit engine, not the surrounding browser. That way, everyone who uses WebKit will automatically gain sandbox support. That includes iTunes, third-party WebKit browsers, and any other software that includes an embedded WebKit browser.
Until that point, you're not going to see much in the way of increased security from Safari, just more of the same patch-and-release.
The comments thus far against this article have no logical basis. The writer of the article bases his assumptions on logic the any hacker wants $20,000 and a claim to fame. What other possible other theory are you all suggesting? Google paid off everyone who signed up? Maybe Google made it impossible to sign up? The writers logic is solid, it may not be 100% accurate but it deserves to be considered plausible.
March 10 2011 at 10:33 AM Report abuse Permalink rate up rate down ReplyDeals of the Day
more deals- Acoustic Research Digital Photo Frame with iPod Dock for $50 + free shipping
- Apple iPhone 4 8GB for Verizon, AT&T, or Sprint for $50 + pickup at Best Buy
- Unlocked iPhone 4S 16GB for GSM (AT&T, T-Mobile) for $619 + free shipping
- Apple iMac Core i7 Quad 3.4GHz 27" w/ 24GB RAM, 2TB HDD for $2,677 + $29 s&h
- Used Apple Magic Mouse for $36 + $4 s&h
- 9-Piece iPhone Bundle, includes 1,900mAh battery for $8 + free shipping
Software Updates
more updatesFeatured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
34 Comments