Safari zero-day exploit nets $10,000 prize
Pwn'd in 12 hours
A New York-based security researcher spent less than 12 hours to identify and exploit a zero-day vulnerability in Apple's Safari browser that allowed him to remotely gain full user rights to the hacked machine. The feat came during the second and final day of the CanSecWest "pwn-2-own" contest in which participants are able to walk away with a fully-patched MacBook Pro if they are first able to hack it.
The exploit means that Dino Dai Zovi is the rightful owner of the 2.3Ghz 15-inch MacBook Pro and a $10,000 prize offered by Tipping Point, which runs the Zero Day Initiative bug bounty program. More importantly, his work effectively throws cold water on tired claims from Apple and its many lackeys that the Mac is all but immune from the kind of security attacks more regularly perpetrated against Windows-based machines.
The pwn-2-own contest got off to a slow start on Thursday. The rules originally mandated an exploit that required no action on the part of the user. The reward for a successful hack was the machine that had been compromised. Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000. Things changed significantly on Day 2.
That's when Tipping Point upped the ante with its promise of a $10,000 bounty. Contest organizers also relaxed the rules so exploits could include malicious websites that attacked Safari. At the time of writing, a second MacBook Pro had successfully withstood attacks. ®
All these people who talk about mac os x (and call the experienced users mac fanboys) have never used mac os x in their life!
More details: Quicktime and Java
I see the old excuse of market size has been brought out again. While it might be a contributing factor, there's a few counterexamples. The "What?" post has already covered the MacOS 9/X one. I've actually seen Sevendust in the wild on an iMac running 8.6
Furthermore, SQL slammer had a target population of 100K, and the Witty worm had a target population of only 12K. Apple shipped 1.6M Macs in 07 Q1 alone. Were it purely a function of market share, why haven't there been 3-30 worms a month for MacOS X? Especially considering how fast, virulent, and devestating SQL Slammer and Witty were, despite having a market several orders of magnitude smaller than MacOS X.
Is MacOS X fully secure? Is Safari? Firefox? Linux? No. Of course not. To claim otherwise is folly. (Andy, you're frothing at the mouth. Remember, we're supposed to be good fanboys. No rabies) Should we simply declare the field level, and simply chalk up IE and ISS's woes to larger market share? Neither that, because it wrongly removes responsibility.
But does this really matter? Should we celebrate other systems' misfortune? No. Worms and other such things affect my systems and servers, even if they never touch or infect them; It adds more strain to the network, and can crowd out legitimate traffic. In this regard, no system is immune to the effects. Should we always strive for improving security? Yes, yes, a thousand times yes. Infighting and OS wars blind us to this fact, that it's everyone's problem.
From all I have read, this is a Java exploit only. Hence, it can affect any browser, any platform.
is a tragedy waiting to happen. Use the right plugin in Firefox and that problem goes away. Stay away from root and the problem goes further away.
Too many applications, in all the OSes, seem to require elevated privileges to install or even run. So we just crank 'em up. Vista makes a mighty swing at this, but too many people are going to get fed up with all the "are you sure?" and just turn themselves on all the way.
I do enjoy watching "Dodgeball" and watching Ms. Macboy get the crap knocked out of him....
And as an observation, the only time I've gotten ANY virii on a Winders OS in the past ten years was when my ex opened "trusted" email from a friend of her's - go figure.