Comments on: Safari hole exploited in seconds at security conference

Charlie Miller, who won a contest by hacking a MacBook Air last year, exploits a security hole in Safari within seconds at the CanSecWest security conference.

[eltoro2827]

apple suxs...people who buy them try to be distinguished but they also install windows....


[CNET editors' note: Prohibited content deleted.]

[OS11]

only Windows users ever install Windows software on Macs, but then stop going into Windows after a few weeks... A Mac user would never have a need for Windows, the software just isn't there for the Windows platform now that Macs have taken over the market.

[screamapillar]

I take it you don't actually use a Mac in real life then?

[screamapillar]

I take it you don't actually use a Mac in real life then? - just an edit, this is @OS11. I actually use my Mac for actual work and so yes, there is stuff that will not work on the MacOS. Even the so called compatability stuff isn't spot on (although i personally blame M$ for that, it doesn't solve the problem for me).

[darthstupid]

What a jerk! He's been sitting on a bug since last year and instead of doing the right thing and informing Apple or the WebKit developers he instead uses this contest as blackmail.

The bigger problem is that this contest is poorly run. They allow you to bring in work you've already done. Most security contests don't announce to everyone the setup well in advance so people can work on it before the stopwatch ever goes off. All this is is a contest to see who can execute a hack they worked on well in advance of the contest the fastest.

[OS11]

quite true, the contest was a complete farce. why doesn't someone run a contest where there is NO physical access to the machine? that would represent a "real life" scenario... maybe offer $100,000 to anyone that can crack into OSX? That way the host of the contest wouldn't have to worry since OSX can't be cracked from the outside.

those rules would be much more fair, real world and interesting.

[Dalkorian]

I also notice the fact that he's been sitting on this for a year, but let's be totally honest here. Isn't this situation better than the one where he releases this to the wild and tries to exploit every Mac user on the planet?

Next month all Mac users will be safer online because of this (Apple is typically pretty good at patching problems like this fairly quickly). How long has winblows users been fearful of that ex-hell exploit that's making the rounds now and remains unpatched by M$? How much longer will they have to wait?

The way that TippingPoint has kept this contest in the headlines over the last few years is by tweaking the contest to get quick exploits. I couldn't help but notice that this year seems to be targeting applications, browsers specifically, and not the OS's directly as in previous years. The reason seems obvious - no one was bothering on the OS exploits and simply waiting for the easier browser exploit days. So ....

I think this is a great thing myself. The software maker gets prompted to fix the problem with the headlines the contest is generating and gets the details of the exploit (so they know what they're fixing). The consumer gets an update to their software (hopefully sooner rather than later) and in the end is more secure using it. The hacker gets some dough, a prize (laptop) and publicity WITHOUT doing any actual harm to anyone.

I can't see anything bad about this at all, even if it is a little "rigged".

[Sporlo]

It's a competition, which means it's for FUN, MONEY, and SHOW. That almost automatically makes it "rigged". It's got to look good to others too if it wants to get noticed.

[darthstupid]

@Dalkorian

I would agree with your statement if he wasn't a security researcher getting paid to do this work in the first place. He works for ISE, a security research firm. This is basically a bonus for him, or getting paid twice for work he did once. It's bad form for him and worse for ISE as they would seem to condone his actions by proxy.

If he turned to "the dark side" ie, went blackhat and released his exploit into the wild I would expect that he turn in his badge at ISE at the same time.

[Dalkorian]

by darthstupid March 19, 2009 5:17 PM PDT
@Dalkorian

I would agree with your statement if he wasn't a security researcher getting paid to do this work in the first place. He works for ISE, a security research firm. This is basically a bonus for him, or getting paid twice for work he did once.

----------------------------------------------------------------

We might have to agree to disagree on this one. How many times to musicians get paid for their music? I don't have a problem with him getting a bonus for his work at all since his work is in the end making the world (well, internet:)) a better and more secure place.

As for if he turned black-hat, I wouldn't expect him to necessarily turn in his badge. That would take honesty and integrity, which might arguably be lacking on the dark side of the force.
;-)

[pithenumber]

@OS11
if there ever is a contest like that
sign me up!
I need a 100k
*writes virus and waits*

[kgolde]

conficker

[dadsgravy]

Blah, blah, blah. He did the same thing last year and me and my mac are still here. Waiting. Well?

[Dalkorian]

Apple patched last year's exploit roughly a month after the contest, so you and your Mac are still here in part because of last years exploit.

Patches are good - they're attempts to acknowledge and fix issues caused by the fact that no one (not even a group of people) is perfect.

Exploits in the wild are bad.

[wigmo]

So here is what I read: "Hacker discovers safari exploit but sits on vulnerability for months so he can cash in on $5,000". I hope some poor 17 year old valley girl's iMac wasn't compromised in the meantime.

[pithenumber]

its better than releasing to the wild

[realneil]

I don't think that any OS is totally secure. Nor any browser, nor anything that is programed by human beings. LOL!
There will always be humans who figure out your code, because there are allot of really SMART people out there, smarter than you, whoever you may be.
That said, a little proactive prevention will go along way to protecting us small fish in the pond.
Staying away from certain web sites will help too.

[SenorFrog]

If he gained root access with this exploit, it's too bad since that means Apple has gone down the same path as Microsoft and made the browser too integrated with the OS. Correct me if I'm wrong but isn't a quick and dirty solution to use a different browser, like Firefox, on your Mac? Even though FireFox has vulnerbilities, it doesn't have claws throughout the OS and therefore can't escalate priviledges.

Also, since Safari has proven so vulnerable over the last two contests, I'd like the option of a different browser for my iPhone. While I doubt someone like CNET's Tom Merrit would send out a malicious link on Twitter, I'm not so sure about Scoble :-) or a few of the other digirati that I follow.

[Sporlo]

Apple and Microsoft are interested in getting the best experience to the user. One way to do that is to heavily integrate their browsers. It's convenient for the user, and many times that's all that matters, because the MAJORITY is going to be ok, and people just LOVE convenience.

And where did it say root access...?

[OS11]

no he didn't gain root, that's impossible on OSX unless he booted from the Install 1 DVD. And no, Safari isn't tied to OSX in any way, there are about 60 Browsers on OSX all operate independently of the OS. And no, FireFox, IE have this same vulnerability... it's a Java hack. iPhones aren't vulnerable since there is no Java.

[SenorFrog]

@ Sporlo, @OS11: I said 'if' he gained root access. The article really doesn't go into what they mean by "gained control of a computer." As for the convenience, I agree but doesn't there seem to be potentially nasty tradeoff? It seems that using the browser to do so much leads to vulnerabilities. If this exploit 'only' allowed him to place a keylogger on the computer, when the Mac asks for validation (ADMIN approval for doing something), couldn't priviledges be excalated?

[ferretboy88]

Safari is ugly. Please change the look. As Steve Jobs would say, It has no style.

[screamapillar]

Oh please. Have a look around. If I say I use Windows and have my reasons, not ONE Apple user will respect my choice (such as "needing a computer for actual work instead of just dicking around" - quote from an hilarious clip at the Onion). My point here, is that if I said the opposite, I like my Apple for x,y,z reasons, then all the Windows users MUST respect my choice because it is superior.

There is this foolish perception propogated by Apple users that Apple is all sweet and pure and creative and good where Microsoft is evil and a menace to society. Now while the latter is probably not far from the truth, the former is fatally flawed. They are all out to get your money and don't give a stuff about you. Stop pretending Apple are the good guys, they are just as disgustingly anti-competivive with their useless and overpriced accessories as anyone else.

The problem is the perception of arrogance and attack that many Apple users have. So as a defence, users of all of the other platforms (that just get bunched together by Apple users as 'other miscellanious inferior products') retaliate. It is a response. There is NO perfect system and no Windows person or Linux person will say their system is perfect, only that it works for their particular needs. Apple people often say theirs is perfect. That is the difference.

Not all Apple users do this mind you. I am a good example. However, even I am jacked of the Apple users around me. iPods are not perfect. I personally prefer mine over the rest but that is it. Macs are not perfect. In fact, I prefer my Mac for some tasks and my PC for others. YES I prefer my WindowsXP PC to the Mac for many applications.

The problem here is some people get fanatical and the rest of us respond to that because we are sick of it. It is not isolated to Apple vs. PC. Take a look at some of the PS3/Xbox/NES forums... sheesh. Just get your favourite product isn't best for everyone, it is just best for you. We aren't all suddenly undeducated hillbillies just because we have other uses or preferences.

[Dalkorian]

I hear ya, but I'd argue you're looking at this from one side of the fence. If you don't think there are any winblows users who'll claim their OS choice is the only perfect one for everyone you have either been living in a cave or are so extremely delusional as to be beyond all hope.

And no we're not suddenly "uneducated hillbillies", we're "uneducated INBRED hillbillies". It makes all the difference in the world.

Oh, and my OS *CAN* beat up your OS any day of the week. ;-)

[screamapillar]

/giggle - I am glad that I again have been made to chuckle at my desk from a CNET forum. /tiphat Dalkorian.

And I agree with you 100% Dalkorian. I guess I'm just sick of the whole 'mine is better' attitude. I use both platforms (pc and apple and both windows/unix on pc) and see pros and cons with both. I think those that worship Mac really don't use a good Windows or linux PC. And vice versa (those that hate Mac haven't used one). What bugs me about Apple fanatics is this perception that Apple is wholesome and good while Windows is evil. (I'm yet to meet a person who - even if they love windows - doesn't hate M$, when I find one I guess I'll be in shock. Most PC lovers love linux and concede the practicalities of M$... not saying M$ lovers aren't out there...) But my summary here is they (apple and microsoft) are both evil!! Once people realise that both of them are anti-competitive nasty corporations that having nothing but their bottom line at heart, then lets all sit down and have a constructive conversation. I love my Mac, really, I do. I just hate the hype around it. But guess what, I love my windows box too and yes, my windows box has better specs for about a quarter of the price and runs better than my Mac on the programs i use it for. And yuppers, my Mac runs better on the programs i use it for (although iTunes is pushing me so far over the edge I'm ready to convert...) There are things that drive me nuts about my windows box (eg. could xml be a worse more bloated language if it tried??) but same with the Mac. Its all semantics at the end.

[AppleSuxLeo]

Apple writes terrible software...just look at that bug-ridden joke they call Quicktime. What a piece of work !
Moble Me anyone ??? Bwahahahaha !

[Dalkorian]

I'm not going to argue Quicktime isn't a "bug-ridden joke", but with M$ the entire OS is a bug-riddled joke!

No, did I really just do that? Did I really just toss a bone to an obvious troll? Hey, even trolls need to eat sometimes I guess ...

[ferretboy88]

Quicktime is the swiss cheese of them all. Safari needs to change its look. No style.

[screamapillar]

I think even those of us that are completely over the Apple hype can concede to Dalkorian's point here. Dare I mention Word 2007 just to antagonise an entire series of hate posts about bloated cruddy programming without even starting on the bugs... 2007 doesn't even need bugs to be awful (but don't worry, it has bugs too).

I guess that is it though isn't it? I just try to take all those thing into account. I'm still running XP because I hate 'dial home' vista. But I have the same philosophy with iTunes, my god, every upgrade makes it crapper than the pervious version so I've become resistant to upgrading. Particularly if it is another 'ooo let me re do the gaps between tracks - you'll now lose your computer for the next year while I do this...' upgrade (/seethe) To bad if I want to use iTunes. The practicality of windows is what I use it for - i need it for work. I need it because I'm an avid gamer. Simple.

[Gr8mindandmore]

There hasn't been a Lock Or a computer system that hasn't been Challenged, As Houdini showed & Microsoft found out with Their XBox & the chap that's now employed by Microsoft for finding there weak spot within the system & warned them about it 4 yr.'s ago. Nice Job !

[Gr8mindandmore]

Why the Hype. Engineers & tech's should be using the KISS method. Keep It Simple Stupid. There are no fail safes & why in the world would they pay Hackers to do What their own technicians should have been doing all along, Making there systems As safe as possible, Bill Gates won't allow his wife to use an Apple Product, is it there might be a difference between the systems. Come people, We are lining their pockets with Gold and all I have is tin, in my pocket !

[goodgawdman]

its all lies! MACS are unhackable!!