Safari zero-day exploit nets $10,000 prize
Pwn'd in 12 hours
A New York-based security researcher spent less than 12 hours to identify and exploit a zero-day vulnerability in Apple's Safari browser that allowed him to remotely gain full user rights to the hacked machine. The feat came during the second and final day of the CanSecWest "pwn-2-own" contest in which participants are able to walk away with a fully-patched MacBook Pro if they are first able to hack it.
The exploit means that Dino Dai Zovi is the rightful owner of the 2.3Ghz 15-inch MacBook Pro and a $10,000 prize offered by Tipping Point, which runs the Zero Day Initiative bug bounty program. More importantly, his work effectively throws cold water on tired claims from Apple and its many lackeys that the Mac is all but immune from the kind of security attacks more regularly perpetrated against Windows-based machines.
Dai Zovi, who is not attending the conference, was recruited on Thursday night by Shane Macaulay, a friend and conference attendee. The ease Dai Zovi found in pwning the machine was all the more remarkable, given an update Apple pushed out yesterday patching 25 Mac security holes. Macaulay described Dai Zovi's vulnerability as a client-side javascript error that executed arbitrary code when Safari visited a booby-trapped website.
The pwn-2-own contest got off to a slow start on Thursday. The rules originally mandated an exploit that required no action on the part of the user. The reward for a successful hack was the machine that had been compromised. Conference attendees were underwhelmed, reasoning a Mac exploit that required no end-user interaction could be sold for upwards of $20,000. Things changed significantly on Day 2.
That's when Tipping Point upped the ante with its promise of a $10,000 bounty. Contest organizers also relaxed the rules so exploits could include malicious websites that attacked Safari. At the time of writing, a second MacBook Pro had successfully withstood attacks. ®
COMMENTS
Take note
All these people who talk about mac os x (and call the experienced users mac fanboys) have never used mac os x in their life!
More details: Quicktime and Java
http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/
Hunh. Turns out it's some interaction between Quicktime and Java. So if you use MacOSX and Safari, or MacOSX and firefox, or Windows and IE, or Windows and Firefox, and you have Quicktime (read: iTunes) installed, you can get hit. If you disable Java (Not Javascript), you are not affected on either platform. Is this the premise of write once, run anywhere?
I see the old excuse of market size has been brought out again. While it might be a contributing factor, there's a few counterexamples. The "What?" post has already covered the MacOS 9/X one. I've actually seen Sevendust in the wild on an iMac running 8.6
Furthermore, SQL slammer had a target population of 100K, and the Witty worm had a target population of only 12K. Apple shipped 1.6M Macs in 07 Q1 alone. Were it purely a function of market share, why haven't there been 3-30 worms a month for MacOS X? Especially considering how fast, virulent, and devestating SQL Slammer and Witty were, despite having a market several orders of magnitude smaller than MacOS X.
http://www.caida.org/analysis/security/witty/
http://www.caida.org/analysis/security/sapphire/
Is MacOS X fully secure? Is Safari? Firefox? Linux? No. Of course not. To claim otherwise is folly. (Andy, you're frothing at the mouth. Remember, we're supposed to be good fanboys. No rabies) Should we simply declare the field level, and simply chalk up IE and ISS's woes to larger market share? Neither that, because it wrongly removes responsibility.
But does this really matter? Should we celebrate other systems' misfortune? No. Worms and other such things affect my systems and servers, even if they never touch or infect them; It adds more strain to the network, and can crowd out legitimate traffic. In this regard, no system is immune to the effects. Should we always strive for improving security? Yes, yes, a thousand times yes. Infighting and OS wars blind us to this fact, that it's everyone's problem.
Java/JavaScript
From all I have read, this is a Java exploit only. Hence, it can affect any browser, any platform.
"to confuse Java and JavaScript - they are NOT related! If you don't understand their respective technology, then just assume Java is secure and JavaScript ain't!*
Thomas, I heard it was the other way around. Java is not secure, and JavaScript can just be a bit flaky.
Javascript ...
is a tragedy waiting to happen. Use the right plugin in Firefox and that problem goes away. Stay away from root and the problem goes further away.
Too many applications, in all the OSes, seem to require elevated privileges to install or even run. So we just crank 'em up. Vista makes a mighty swing at this, but too many people are going to get fed up with all the "are you sure?" and just turn themselves on all the way.
Side Note....
I do enjoy watching "Dodgeball" and watching Ms. Macboy get the crap knocked out of him....
lmao
And as an observation, the only time I've gotten ANY virii on a Winders OS in the past ten years was when my ex opened "trusted" email from a friend of her's - go figure.
