Safari hole exploited in seconds at security conference

Updated at 5:53 p.m. PDT with information on a second winner at the ongoing contest.

Charlie Miller won $5,000 after demonstrating a new Safari exploit as part of the Pwn2Own hacking contest at CanSecWest.

(Credit: Elinor Mills/CNET)

VANCOUVER, Canada--The security expert who won $10,000 hacking a MacBook Air in less than two minutes last year won $5,000 on Wednesday by exploiting a hole in Safari in 10 seconds or so.

Charlie Miller, principal security analyst at Independent Security Evaluators, used a MacBook running the latest version of the Mac OS as part of a contest at the CanSecWest security conference called "Pwn2Own," which is hacker slang for gaining control of a computer.

The security hole, which Miller said he discovered last year, allows a remote attacker to gain control of a machine simply by getting the computer user to click on a malicious URL, as Miller demonstrated.

"It's not easy, but this worked with one click" from the Safari browser, he said.

Miller is prevented by contest rules from revealing details of the exploit. He said he told Apple representatives what he planned to do earlier in the day. "They're happy because they get free research and get a bug fixed," he said.

The contest is sponsored by TippingPoint, which will share details on the exploit with Apple and develop a patch for it. TippingPoint is offering $5,000 for each new exploit demonstrated in the major browsers and $10,000 for each successful exploit in the major smartphones, as well.

Previously, Miller discovered a hole in the mobile version of Safari shortly after the iPhone was launched in 2007.

Later in the day, a 25-year-old computer science student at the University of Oldenburg in Germany, won $15,000 for exploits he demonstrated in IE 8, Safari, and Firefox. The student, who declined to give his full name, gets to keep the Sony Vaio he did his exploits on, and Miller gets to keep the MacBook he used.

[oldmanangry]

But I thought OSX was a fortress...

[SteveW928]

It is... though any fortress can be penetrated. Better to be in a fortress than a tent.

However, try reading the article... this isn't quite what it sounds like...
for example:
"... simply by getting the computer user to click on a malicious URL ..."
so, he didn't exactly 'hack in'... though still useful and good to be pointed out for Apple to fix.

Note what kind of computer he uses to do his hacks.... he likes collecting these MacBooks for prizes. Also, note others hacked IE, Firefox, etc. I doubt any company will close all holes in every product... but if you don't realize in comparison, OSX is a fortress, you're simply not living in reality.

[topgunb2]

and you are brainwashed, hyptonized by steve jobs and apple cult!

[SteveW928]

@ topgunb2 - Um... no. But even if so, better than to be brainwashed by Ballmer and the M$ lemmings... eekkk!

[OS11]

He has never been able to hack OSX, only a browser once he was given full password access to the machine. So it's not that big of deal when you know the facts of the situation.

[GetOutMore]

@SteveW928 And I guess Apple products are sold at cost? Because they care. They are green and wonderful and loving and would never want to make an evil profit like mean old Microsoft.

[CrashPad63]

OS11, read that again. He was able to get Root Control through the browser. This seems to me to be a double exploit.

[Seaspray0]

SteveW is correct in this: Any fortress can be penetrated and alot of hacks do seem to revolve around the browsers these days.

I agree. There is no such thing as a 100% secure operating system. That includes osx, linux, and windows. All have been improved over the years (all fortresses to a major extent) but as the results showed in the contest this year... ALL still not 100% secure. The worst thing you can do is pretend otherwise. Everyone should take computer security seriously and use whatever steps they can to add more protection (antivirus/antimalware software). How serious? Let me ask you this... would you have sex using a condom that has a hole in it? Think about that the next time you browse the net, reguardless of what OS/Browser you are using.

[Sporlo]

I don't get why people try to bash OS X users by insisting that they all believe it's impenetrable. I've never seen anyone claim that. It's simply really good, not perfect, but it does a good job. And unless you're just REALLY unlucky and you're being INDIVIDUALLY TARGETED, for the most part any security breaches are due to user error or stupidity, not OS.

[santuccie]

"I doubt any company will close all holes in every product... but if you don't realize in comparison, OSX is a fortress, you're simply not living in reality."
>>That's refreshing. Last I heard, Vista was tougher than OS-X. It took longer to hack last time, and before that time in a Hack a Mac contest by Dino Dai Zovi. He said that OS-X was "LESS SECURE THAN VISTA." And he isn't alone:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072959
http://www.zdnet.com.au/news/security/soa/Mac-OS-X-hacked-under-30-minutes/0,130061744,139241748,00.htm

'"Mac OS X is easy pickings for bug finders. That said, it doesn't have the market share to really interest most serious bug finders," added gwerdna.'


'"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms.... If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems," said Archibald at the time.'

Eat your words, SteveW928.

[SteveW928]

@ santuccie - just add 'paid for by M$' and stir...

If don't recognize how much more secure OSX is... then you've clearly never used both OSX and Windows in any kind of real way.

Lets put this another way.... I have NEVER had to clean a SINGLE virus off a Mac in 20 years of working with Macs... and even consulting with clients.... not just my personal Macs, thousands of them I have helped to manage. I don't know ANYONE who has ever had a virus either.

On the other hand, I think ALL but maybe one of my friends who run Windows PCs have had at least one virus attack at some point... some of them multiple attacks. Many of them were even running anti-virus software... and most of the people running anti-virus software are constantly having issues caused by the anti-virus software. About the only Windows PCs I know that haven't typically gotten viruses are in corporate settings with good IT managed firewalls and anti-virus protection on the machines.... and a few have even gotten through that over the years.

I totally realize OSX isn't flawless... but sorry, no comparison. Get yourself some real-world experience rather than going off warped press articles and M$ propaganda.

[joetesta70]

More POS software from Apple...

[myles taylor]

And I suppose you're using IE 8?

[dragonsky1]

In case you didn't notice, this is a flaw in Safari, not Mac OS. And in case you didn't read the rest of the article, there were also similar flaws found in Firefox and Internet Explorer. It helps if you read the entire article.

Sadly, there are going to be security problems no matter which browser you use. They get some patched up, and more are found. There are many, many ways to exploit Sarari, IE, and Firefox to gain control of someone's computer, whether running Windows or Mac. It's just a fact of life. Deal with it.

[catch23]

Written by the same folks.
I actually did read the article.

And it is the same with everything that crew writes. The unpatchable QuickTime or Safari.

OSX may fair a little better, but they didn't write that. They cut and pasted from the FreeBSD crowd, because the OS Apple did write was so pathetically bad that not even Apple could use it.

[ianbetteridge]

One of the definitions of good security at the operating system level is preventing holes from escalating from the application level to the "having control over your entire computer" level. That's why this is a failure at the OS level, as well as application.

The flaw shouldn't be in Safari (or Firefox, or IE). But Mac OS X (or Windows) shouldn't allow the application enough access to the core OS to let it its privs escalate.

[pentest]

MS fans have been conditioned to believe that a browser is actually part of an OS.

[Ed Lin]

OS X is fine in comparison, though still not as secure as it could be with more attention to updating it. Safari is but one component and unlike IE is not in the kernel or otherwise an inseparable part of the OS, so you can use Firefox on OS X like I do and Safari's security swiss-cheese will not affect the security of the rest of the OS. (Apple made Safari read altogether too many formats instead of being "just a browser" like Firefox, so keeping it secure is nearly impossible due to the overly complex architecture.)

[3rdalbum]

Then why doesn't Konqueror suffer from as many security flaws?

[slecalvez]

Cause nobody uses it?

[topgunb2]

@slecalvez are you sure about it?

[rapier1]

Actually WebKit, the underlying rendering engine for Safari, is an important component of the OS. If you drag Safari to the trash you still have WebKit on your system. You'll need to remove the WebKit (particularly WebCore) framework from your system library folder in order to purge it entirely. I've no idea what it would screw up but certainly anything that relies on html or xml rendering.

[sciontcya]

In other news, my 15 year-old found 27 holes in IE in as many minutes...
MS to release patches every day of the month to cover every new hole found.
So freakin' what?

[Vegaman_Dan]

I'm afraid you may be mistaken if you are in the belief that Microsoft releases patches every day of the month as you put it. That's one of the common complaints, in fact, that they do not release patches soon enough to cover vulnerabilities.

If you are attempting to point out failures, the first failure was in your own post. :/

[Seaspray0]

I agree, Vegaman. I wish they released them either on a weekly basis or when they are available.

[homercles82]

At least they are all free patches and upgrades.

[pithenumber]

"every day"
heard of patch tuesday?
apparently not

[ckurowic]

Let the trolling begin. Get a life. Wow, one Mac OS exploit for every 10,000 windoze exploits. Yeah....Keeping using your CRAP OS

[Seaspray0]

Take off those apple blinders and look at the truth....

Quote: "The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years".

Source: http://news.cnet.com/8301-1009_3-10154662-83.html

[camman2003]

Ironic that you would say let the trolling begin and immediately follow it up with a troll bait comment like that.

[CrashPad63]

Check the facts on this one. 815 Apple exploits "patched" VS 678 Windows exploits "patched" in the same 6 year time period. Looks to be like Apple has the most holes.

[ittesi259]

CrashPads,

Does Safari have the most holes or did they just get the most patches out? MS has been known to have exploits known and actively used and still not patched....there's an Excel one out there right now, its being exploited in the wild and MS hasn't fixed it yet.

But then while I love my Mac I am not a fan of Safari and just don't use it.

[Seaspray0]

"there's an Excel one out there right now.." Yep. And although excel is not part of the OS, it is microsoft's software... just as safari, itunes, and quicktime is apple software. Companies should be held responsible for patching any flaws found in all the software they release.

[pentest]

"Check the facts on this one. 815 Apple exploits "patched" VS 678 Windows exploits "patched" in the same 6 year time period. Looks to be like Apple has the most holes."

I realize MS requires you to check your brain at the door, but you might want to retrieve it.

How many exploits for those 815 OS X patches? 0.

How many for Windows? 4847328947983274892375874957497543789543798579349

How many unpatched flaws exist in Windows 4859485089435894390859043859043850984358438438647385693408

[montex66]

So you have to click on a specific URL in order for this exploit to work... not much of a danger if you ask me. When someone can hack into my Mac without tricking me into letting them in, THEN I'll start to worry.

[gp2792]

THEN it's too late...

[man_w_balls]

RE: gp2792, "THEN it's too late..."

Yes, your life is over and the hackers rape everything you hold dear...
or you boot the system to another uncompromised disk and remove the problem to regain control

[Vegaman_Dan]

Considering even a web page on a trusted site can be compromised and the links replaced, then it is a very real possibility. Even more so when it's very easy to spoof the link names, making it look like you are going to www.cnet.com but instead are clicking on that very same carefully crafted link you think you don't have to worry about because you're much too smart for them.

It's the attitude that you have displayed here which demonstrates why this same ignorance makes you a prime target for these sorts of exploits.

[wolivere]

If I am correct 90% of the exploits we see in MS products require you to A) Click a link B) Open an email with an attachment that is bad

So when this all happens to an MS product MS sucks... when it happens to an Apple product its okay?

[BtmnHatesRbn]

@wolivere

When did it happen to an Apple product? Also, M$ phones home constantly, as I see the hard disk light go on and on when I'm not at the computer using it, just letting it idle between tasks, while all of my Macs do nothing, just wait for me. Then, when I scan my computer with SpyBot and AVG, I get list after list of malware, whereas nothing is on Mac. Why? No Active X. If you can site when this "happened" to and Apple product with three different links to prove your statement, then you have room to write something in regards against Apple.

[rapier1]

@BtmnHatesRbn;

Are you saying disk activity is an indication of phoning home? How does disk activity indicate network activity of any sort? The answer: "It doesn't". The disk activity you are seeing may be part of the disk indexing process, it may be optimization activity used to put the most frequently used executables and binaries on the fastest parts of the disk, it may be any number of things. Unless you actually look at the process manager you just don't know.

[Vegaman_Dan]

@BtmnHatesRbn;

You see the hard disk activity light on your computer when you are not sitting there in front of your computer? That's either some amazing powers of vision you have or one humongously large hard disk activity light you have there. :)

And as for you having lots of malware/spyware on your computer whenever you scan for it, have you considered that it is there because of your own action/inaction in the use of that machine? Did you do something silly like click on a popup warning stating your computer was infected and to run a scan now?

Looks like all your problems are brought on by you yourself.

I've been doing this computer thing since 1987 and have yet to have a system compromised by any virus, spyware or malware. I just keep the machines up to date per the OEM' recommendations and don't do stupid things like click on popup boxes or go to untrusted web sites.

[pentest]

"If I am correct 90% of the exploits we see in MS products require you to A) Click a link B) Open an email with an attachment that is bad

So when this all happens to an MS product MS sucks... when it happens to an Apple product its okay?"

You are incorrect. Most Windows exploits happen without user consent or knowledge.

[DrtyDogg]

pentest, any fact or you just spewing FUD with your comments?

[SlimGem]

"... allows a remote attacker to gain control of a machine simply by getting the computer user to click on a malicious URL ..."

So where is the bug in Safari? If he hadn't clicked the URL he couldn't gain access. This is simply an exploit that can be perpetrated on anyone.

I want to see this clown take over a Mac without any of this orchestrated rigging.
He couldn't do it this year any more than last year. I call b******t.

[CrashPad63]

So shortsighted. That is the exploit to allow the execution of that link in the browser then to allow Root access.

[Dalkorian]

I've seen a few people here post that it allows root access, but I can't find it on TippingPoint's site. Anyone got a link for the curious?

[captainabab]

I can't believe anyone is defending Safari because you have to "click on a link"

The entire web is all about links. Anyone can put a malicous link in any forum / blog / comments section and take down any mac user - they end up having to power boot their system.

Explanation of how the hack works and work around to secure your system:

http://rixstep.com/2/20080427,01.shtml

[Vegaman_Dan]

Good point. All you have to do to be safe is simply don't click on anything in a web page. Yes, your browsing experience might be a bit limited, but you'll be safe. :)

[jminnihan]

Guess what? I just tried rixstep's page, and all I received was no error at all just normal page text, in fact, using the built in Web Inspector of Safari, i got this nice little error displayed in there "Error: Out of memory". No crashes, no drive by downloads, no nothing!

However, if you really want to cry about something Windows fanbois, visit rixstep's page here: http://rixstep.com/2/20090318,00.shtml

Windows, Give it up dude!

[Vegaman_Dan]

@jminnihan:

Tried the site with IE8. No problems reported- the script failed to run as IE8 detected and warned against it.

Sorry, you fail.

[gefitz]

Why does anyone bother to exploit a browser no one uses? Oh yeah...they don't.

[kelmon]

Sorry? They produced exploits for Safari, Firefox and IE8. Aside from Opera, which wasn't included in the competition as best as I can tell, which major browsers are we missing here?

[Notoapplefanbois]

@Kelmon,

Chrome.

[Perry_Clease]

Why do Windows user continue to use a browser, and OS, that has more holes than a sieve?

[kelmon]

#1 Reason - it runs their applications. Look, I'm a fully paid-up member of the Mac fan club but I'm not naive enough to think that switching to the Mac is right for everyone.

[Perry_Clease]

@kelmon

I was responding to getfix's snark

[hippiemadness]

its funny whenever an Apple fan comments on what they think about the products they use, they automatically become a Apple fanboy. People like what they like. how often do you buy something that you have a good experience with and not praise it. most apple haters just have never experienced the product and make claims. get a life.

[kojacked]

It's not that they simply praise it. They worship it and crap on everything else. I think Apple technology is great but I'm not gonna tell anyone else that uses something else that their tech is crap. I'll sure and attack arrogant people but not the tech. Many Apple product users are arrogant beyong belief and leave plenty of negative comments about Windows, Linux, you name it when it's an article about those products. To top it off when you are slamming an Apple fanboy for their attitude it doesn't matter how much you use Apple products or say good things about them. You're a traitor and immediatly branded a Windows fanboy. So in summary the hate is on the people not the product.

[unknown unknown]

It's one thing to like something to say positive things about it, it quite another to have a fanatical devotion to it (being a fan boy). A normal person can, if begrudgingly, acknowledge faults. Fan boys however, go into attack mode when even the slightest imperfection is suggested about the object of their love.

I don't know what your definition of an Apple hater is, but there elements to the Mac I can't say I am particularly fond of. Same for Windows and Linux.

[kelmon]

Indeed, this whole obsession with labeling anyone who says something nice about Apple or its products as a "fanboy" is getting out of hand and is throughly unwarranted.

[BtmnHatesRbn]

I would, then, like to state, for the record, as long as CNET archives this webpage, that I have 6 Windows computers, and 7 Mac computers, one running Mac OS 9. I have to use both all day long in the stuff I do, and yes, some applications can't be emulated via Parallels, DOSBox, Virtual PC, etc., properly, so I have to use the real hardware.

But why hate Apple? The Woz of Apple created the idea for home computers to interface with a keyboard and joystick with a screen having the memory on-board and user able to upgrade easily. Before that, there were Altairs and IMSAI computers that used switches, punch-cards, and teletype machines. If Woz never decided to follow Jobs with Apple, you wouldn't have the ability to use a computer at all. Woz even has the patent for the keyboard as a interface device. Look it up, it's around on the Internet. But make sure the site you're clicking on is the real deal...

[hippiemadness]

I agree that some fans of anything are to obsessive, but what i was trying to state, but i didnt do it to well, is that i could say "i have had nothing but a bad experience with Microsoft and ever since i switch to Apple i have had nothing but i good experience", which is a very true statement, and i am labeled by someone and more likely more that one person as a Apple Fanboy. i look at CNET news daily and i look at all post, i just like to know whats going on in tech, and it seems that more Apple users are bashed for there simple opinions and experiences. maybe thats just how i view it. i think its very ironic how people, ie. windows users, will call a person a fanboy and then turn around and become one themselves from what they say in the comments. haha just one mans opinion

[screamapillar]

The problem, hippiemadnsss, is that people don't just say "i have had nothing but a bad experience with Microsoft and ever since i switch to Apple i have had nothing but i good experience". They say "Apple is perfect and all the rest of you are stupid for using anything else ever." Here is the reality, I don't believe even your first statement. My Mac bugs me all the time. So does my PC. They both have pros and cons. My god, I'm ready to scream everytime iTunes hangs (again) or asks me again about installing some new thing I don't want and have already told it to stop asking or tries to trick my less savvy pal into buying music. And yes, I scream just as much as when Excel tries to "help" me, or IE crashes (again) and my apparently uncrashable machine falls into oblivion (sorry I laugh everytime I think of M$ promising that). But then I go and play Oblivion on the PC and love it while I have the Mac render a song I wrote on the piano. It's all good. But the Apple user, instead of respecting that I prefer my PC for something, will berate me for not doing everything via the Mac and for not using cruddy emulators when I want to use a product only out on PC. No I don't want to use an emulator. I have a PC. My choice.

There are many examples of Apple users in this thread that do not respect choices or people that expect double standards - eg. [insert outrageous and unsubstantiated claim] but prove me wrong with 3 sources to back it up. I'm not saying Windows users do, I'm saying your point about the 'fanboy' thing is more about the attitude. There are definately Windows fanboys that these sentiments apply to as well. As with EVERY other platform out there.

[OS11]

Breaking News:

Burglar given keys to house... then breaks in 2 seconds later!

Wow, how amazing!!! NOT... what a bogus contest...

Doesn't C|Net do any factual news anymore?

[kojacked]

Breaking News:

Burglar knocks on door and homeowner answers it and invites them in.

It's not the door's fault. It's the people that use it.

[Seaspray0]

Actually, it's more like this.... homeowner visits a place which happens to be owned by a burglar. Burglar gets the house keys of owners who visit his place. Burglar raids the owner's house without the owner's knowledge.

[OS11]

even more correctly, Burglar attempts to attract home owner into give up keys to their car's glove compartment, but 99.999999% of the time Burglar gives up since no home owner is that stupid. But for that .000001% of the time, Burglar gets access and finds crumpled maps, some old kleenex and a tire pressure gauge.

this shows why contests like these are so bogus, they don't produce anything of any value, nor are they useful in reality.

[DrtyDogg]

I find the contest useful. That is one less hole in OS X.

[screamapillar]

OS11 it is not like that at all and I'd hope you know that. Links can be disguised as legitimate so it is far more likely, in your analogy, that the home owner gave the keys to the burglar thinking the burglar was someone they could trust.

Some really stupid people click on those links. Some are not stupid just ignorant. And some are security professionals that are too arrogant to acknowledge that risks and exploits exist even if it involves the user playing some part. Fortunately, contests like this identify these exploits so that all those ignorant people that trust every link they 'think' they can trust are a little safer.

[Angmarr]

LOL well who could've seen this 1 coming LOL

Just use Firefox

[kelmon]

...which was also hacked. Did you miss that part of the article as well?

[Angmarr]

ya but which is safer!

[sharmajunior]

Try to use Firefox 2.0.1on the internet now. Your computer will be taken over before you had a chance to type in a URL. Nothing is safe. Just hope people as good as that guy mentioned up there find and notify the companies about the exploits and loopholes so we have less to worry about.

I simply don't get the Windows to Mac fight. Everyone sounds like a little kid who nags and teases the other by saying "My thing is better than yours..na na na nag". If I am not mistaken I will be attacked by someone who is loyal to either thing which would prove my point.

I use both OSx and Windows. Both have their fair share of responsibilities that they help me with and both work well. I have mostly had very little problems with both of the OSes. I develop for both and I like having the backwards compatibility with windows as it allows me to use some old software that normally wouldn't have been able to use. With my Mac, I can do a lot of image editing and other stuff that either takes longer on windows and sometimes I can't find the proper software for it simply becoz some software is made excusively for OSX.

In other words what I am saying is, use both of them if you can. If you don't like either one, use whatever works for you.

[Notoapplefanbois]

Well actually chrome didn't get hacked since it's prohibited url's come from google and the OS. Unlike other browser's where it gets the prohibited sites list from the program itself.

[seven7dust]

which is why I use Opera nowadays still the world's safest browser
having learned that safari is good but overall it's still a bit of a Security risk
and opera 10 alpha is fast and has so many usable features that FF lacks

BTW still no Spyware on my Macbook with zero protection and full usage with no fear
on my Wndows Xp desktop I get some on almost a daily basis with mild usage and protection
it also requres Adaware spybot and spy sweeper scans every week to get rid of !

I wonder if real world security is more important or some spoon fed hack in a lame hacker fest
the chances of which happening in real life r close 0.00001% considering Macs aren't even targeted

and BTW still no major outbreaks of virusese on OSX
thats right 10 yrs in and still not even one major outbreak kind strange don't you think

[kelmon]

Question: how do you know that Opera is the "world's safest browser"? What you can say is that Opera has fewer known exploits than the other major browsers but whether this means that it is actually "safer" is up for debate, much like claims that OS X is safer than Windows.

All we know from this competition is that researchers who attended the event know of flaws in each of the major browsers and were able to demonstrate them within the time allowed. As an evaluation of overall application/platform security I don't think that it means very much.

[ausernamenoonehaschosen]

Ditto to everything you said seven7dust. It seems every time an exploit is found, it affects Safari, Firefox, and IE. If it does affect Opera, it is an earlier version (I remember a dangerous exploit not too long ago that affected all of the latest browsers, and Opera 7, however, Opera had just released 9 at that point). Using Opera on my Mac for 8 years now with no security has resulted in 0 problems.

[seven7dust]

@kelmon
it's easy by facts
still no attacks on Opera or major Security threats on OSX
so it's safe to say OSX is more secure than Windows
and opera is definitely safer than FF or safari

People seem to be forgetting about real world usage
and concentrate on patches and exploits
Who cares how many holes or patches they are ?
as long as u don't get Affected which is a given on Opera and OSX
thats wat matters to me n the end !

[Vegaman_Dan]

The very same logic that Seven7Dust is using totally explains why there tons of aftermarket accessories for Chevrolet, Ford, Dodge, Honda, and Toyota brands with high demand and popularity for their use and none at all for the Yugo.

[jameskatt]

Mac OS X is 10 years old.
And still no viruses or worms.

There doesn't seem to be a way to break into it unless one has physical access to it AND uses a browser.

Even if using a browser, one still can't remotely control the Mac. It's only the browser that is the problem. But then every browser has lots of security holes.

[shellcodes_coder]

10 years old and still so little market share and users LOL

[CrashPad63]

Why bother with it? 5-8% VS 90% you do the math.

[SlimGem]

"Why bother with it? 5-8% VS 90% you do the math."

No, you guys do the math. I'll stick to using the safest and most stable operating
system and software available. No anti-virus needed. And no annual reformatting to
keep my computers running.

[rapier1]

@SlimGem,

So you use OpenBSD then? SELinux?

[sharmajunior]

@ jameskatt

"And still no viruses or worms". Give me your IP address, I'll send some viruses and worms made exclusively for Macs. Don't come around with the argument that Macs don't get viruses or the other way around linux doesn't have any virus. Just becoz you haven't ecountered or seen any doesn't mean that there aren't any.

If you would love to have some viruses, spyware etc. Let me know. I'll help you out. I have got some really nasty ones that I am sure you will enjoy and remember.

Have a nice day.

[Canok]

To me the biggest iDiots are the folks at TippingPoint for sponsoring the contest.

They know these people are in the business of looking for weaknesses in the OS(s) or web browsers and then they gave them the key to open the door to the house and then they reward them for breaking into the house.

What a bunch of iDiots. Hello in these difficult times giving money to the needy make more sense.

[Seaspray0]

"these people"... In what way are they different from hackers who are also looking for weaknesses in the O(s) or web browsers for either prestige or monetary gain? Perhaps, it's because they are doing it openly in a contest and against designated computers rather than behind closed doors where the computer they hack could be yours. I know which one I'd rather see.

[Dalkorian]

I agree with very few of Seaspray0's posts, but this one is an exception. I have no problems whatsoever with what TippingPoint is doing here, in fact I'm happy they're doing it!

The software maker gets the details of an exploit to their software and the publicity to prompt them to fix the problem.

The hacker gets some money, a prize and some publicity for showing the exploit instead of using it.

The consumer gets updated software that is more secure than it was before.

Remind us where the "bad" is in all this?

[DrtyDogg]

It is "bad" because it was a Mac that was hit first.

[ausernamenoonehaschosen]

Last time when he broke into the Air it turned out he was given full access to network, and the firewall of the Air was off. I wonder how spoonfed he was this time.

[shellcodes_coder]

And again Apple still fell first LOL

[OS11]

the only reason Safari / Java was hacked (OSX has never hacked in any of these events) is the prize was a MacBook. Nobody would even show up if a windows or linux PC was the prize... those just aren't valuable, but a Mac is golden since it's the most secure PC you can own. hackers know this, so that's why they focus on Java weaknesses on these systems.

[Seaspray0]

@OS11. You are so full of it. You should read this too...

Quote: "The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years".

Source: http://news.cnet.com/8301-1009_3-10154662-83.html

[Dalkorian]

So Seaspray0, where are all the exploits in the wild? Name one current virus or worm for any *nix derivative (Linux, OS X, Unix - take your pick).

I bet I can find 5 for winblows for each one you can find for *nix. Currently exploited in the wild - hell, I'll even restrict myself to unpatched ones. I'll still win.

Don't misunderstand my "attack" here - NOTHING IS INVULNERABLE. Imperfect human beings are by definition incapable of creating perfection. But there is a difference between "vulnerability" and "exploited in the wild for the last year, causing millions of zombies". And it's not market share either, otherwise OS 9 wouldn't have had any viruses for it either (it did - quite a few in fact).

[OS11]

@Seaspray0

But if you read the article, those were just "vulnerabilities" not anything that ever allowed access to those OSs. you need to learn UNIX based OSs are far different that the kludge of Windows, that's why nobody has been able to hack or crack UNIX systems. Those are the facts, deal with it...

[rapier1]

@OS11:
Nobody has been able to hack or crack unix systems? Excuse me? I hate to be the one to disabuse you of this notion but as someone who's been involved in the unix world for 20 years I can assure you that unix system have been hacked, cracked, pwned, infected, and rooted. Even a cursory review of the literature clearly demonstrates that linux systems have their own vulnerabilities and exploits. Windows may get all the press but it happens in the unix world as well. For example: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=92230
These weren't windows systems that were hacked but top end systems generally running RHEL, CentOS, and other linux variants and were being administered by some of the smartest people in the field. Heck OS11, most of the basic techniques of hacking, cracking, and pwning were developed on unix systems.
Its not like the ring security model is invulnerable.

[screamapillar]

Ahh rapier1, so refreshing to read someone who knows what they are talking about instead of BS like "my favourite product is flawless" Thank you.

There are no flawless products. All systems have risks and your role as the user is to be aware of that. Pride always comes before the fall. I know windows is flawed. I know it is a virus magnet. But I acknowledge that and keep it in mind. But i don't pretend my linux system or mac is invulnerable if I want it to stay clean/secure.

Oh, hey hippiemadness - just read OS11's responses - just a good example of what I was referring to. People that don't back up any of their claims but demand 3 references (as someone did in this set of posts) for anyone to 'prove them wrong'. Bah

[sharmajunior]

I agree with rapier1.

Just look at the internet. What are most of the main servers running the internet running on.

[pithenumber]

@Dalkorian
so you want me to download the src run of the mill UNIX networking or remote access tool
turn it into a RAT
and put it up on TPB
then tell you about it
okay!
*off to work*

[bgnm]

Apple haters make such inane comments! When the only thing they have to say is not worth listening to, they scream it so loudly that it can't be ignored. In so doing, they mostly reveal their limited capacity for rational discourse.

[Sporlo]

It seems the only thing you have to say is not worth listening to (neither is my comment).

Also, using that kind of grammar doesn't make you seem smarter. You can't disguise bad content with pretty grammar.

[screamapillar]

Oh look hippiemadness - another example for you.