∞ Safari hacked in five seconds at Pwn2Own

Apple’s Safari Web browser was hacked within five seconds of visiting a specially crafted Web site.

[ad#Google Adsense 300×250 in story]The hack for Safari allowed a team of French security experts win this year’s Pwn2Own hacker challenge, according to ZDNet. The researchers won $15,000 in cash and an Apple MacBook Air 13-inch running Mac OS X Snow Leopard.

The MacBook that was hacked was running a fully updated 64-bit version of Mac OS X. It’s not clear if the version of Safari used was the updated version from earlier today or an older one.

The researchers said that WebKit, Safari’s rendering engine, has many vulnerabilities.

After running the exploit, the researchers were able to launch the calculator app and write a file to the disk.

“The victim visits a web page, he gets owned. No other interaction is needed,” said Chaouki Bekrar, one of the researchers.

  • Tony Arnold

    And yet they’re completely unwilling to share these vulnerabilities with the developer of the software — so in essence these “security researchers” are complicit in keeping these vulnerabilities intact until they can make some prize money off it.

    Doesn’t sound like a very ethical profession to me.

    • How much would Apple pay them for it? More than the prize money? No? Capitalism my friend.

    • Robert

      I think you have a fundamental misunderstanding. The security researchers DO share the vulnerabilities with the developer. Apple, however, apparently has a reputation for being incredibly slow and unresponsive to their reports…

      • Tony Arnold

        So you’re saying without any doubt that these vulnerabilities were disclosed to Apple before this event? (and the subsequent publicising of the vulnerability). I’d read/heard that it was popular practice to keep a cache of unknown vulnerabilities for events such as this.

        • Robert

          I don’t know about this specific vulnerability (the researchers tend to not publish/identify the vulnerabilities they find until after the vendor has patched them — so there’s no way to know). I was speaking in more general terms. Disqus held-for-moderation a citation I just tried posting here, but Google the phrase below and you’ll find a Washington Post article/blog that provides some context on Apple’s non-responsiveness and how much it frustrates security researchers who are trying to help:

          “Security Fix – Apple Slow To Fix Java Flaws”

      • Robert
      • Steven Fisher

        If it’s been reported you can post the rdar number.

  • Gustav

    It’s a bit disingenuous to say it was hacked in five seconds. I’m sure they spent more than five seconds researching this hack, and writing the web page to take advantage of the possibility.

    These guys basically keep a list of known vulnerabilities. Apple will get around to fixing them eventually, then they’ll just move further down their list each time Apple updates WebKit. Though it’d be nice if Apple stepped up the priority on finding and fixing these.

    • Tony Arnold

      The original article states that a team of researchers spent two weeks finding this vulnerability. It took 5 seconds to execute, not to figure out — sensationally misleading headlines must get hits or something.

      • My intention wasn’t to mislead. I thought it would be obvious that they researched the vulnerability beforehand.

        • Holland

          How long does it take to push a button on any computer and get a response? Maybe 5 seconds. In this case, 2 weeks and 5 seconds…

          And yet now that you realize it was misleading, it remains misleading. Interesting…

  • What a joke o you can create a trojan website, how come this doesn’t happen, because safari / apple would warn against it in real life. Let them gain access without having physical aces to the machine, the way this should work.

    • Guest

      Do you really think Apple/Safari are going to warn you “in real life?” Do you think Apple is some sort of guardian angel?

  • Another farce of a competition, the “so called” winner had FULL PASSWORD & PHYSICAL access to this Mac for his parlor trick to work. So it wasn’t a real world test, just a “controlled, clean room” example if you spend weeks to write code, break into someone’s house and point a “browser” to a special site.

    OSX was never hacked at this contest, just an unpatched version of a browser… and only IF the hacker has full unrestricted access to your machine, yawn.

    • dan

      What are you talking about – the only thing the “hacker” did was visit a webpage – thats it… nothing else… it is a security flaw in the browser that allowed the SITE to gain access to the machine, launch an application and write a file to the HD. This means that if this exploit was in the open the only thing you have to do on your mac to get some nasty virus or malware is to visit a site…

  • Wouldn’t any exploit using known vulnerability, previously researched, take “seconds” to be successful on any unpatched system? You make it sound like they’re sitting down in front of a system cold and creating a new exploit from scratch and managed to type out a new one in just 5 seconds. The amount of time for the exploit to actually execute is meaningless and absurd. “Why, team A’s code took 4.965 seconds to execute while team B’s code took 4.953 seconds. Team B wins!”

    The speed at which the exploit executes is only a measure of how fast that system can execute code. If you think about it, the faster the time, the better. Any system that would end up just as compromised, but take longer to have it happen just means that that system is slower and more inefficient. It would mean that that system’s security system is just slower and more laggy for the end user, but NOT any safer.

    The correct title should have been “A team French security experts takes weeks to breach Safari security using known, unpatched vulnerability.”

    That being said, I hope that any team that comes up with any successful exploit on any system immediately tells the responsible party EVERYTHING they know about that security exploit, not just what they did to win this week. This isn’t a game and there are no winners and losers here. Everybody looses if the “winners” don’t make sure the holes they exploited are patched. Now that they’re told the whole world where the holes are, they now bear just as much responsibility for them as the sloppy programmers who did the original programming in the first place.

    • Robert

      You’re pretty much right about the “within X seconds”, but missing one consideration:

      If an exploit is simple, to breach it might only require a simple algorithm (for illustration purposes: 1+1=2). If an exploit is more complex and requires the defeat of a series of vulnerabilities, a more complex algorithm might be required (for illustration purposes: 937492947.28478 * sqrt 30384100). The latter, more complex algorithm is more “expensive” and would generally take the same system longer to execute than the former simple algorithm.

      So yes, speed actually could be somewhat relevant. But yeah, “team A’s code took 4.965 seconds to execute while team B’s code took 4.953 seconds” seems pretty insignificant to me…

  • Anonymous

    Bottom line, this proves nothing in real life. Because nobody actually is using this exploit on a website anywhere.

    As for Apple being slow to respond to security complaints, well, it couldn’t possibly be because over the years the security people spend a lot of time crying wolf to drum up business, and Apple doesn’t take them seriously, could it?

    No, and that’s why Apple has proactively asked security experts help them work on security. And I’m willing to bet good money that the Safari that was compromised today was not the new one.

    As for the point that it took weeks or months to research the vulnerability, it’s absolutely true. But the exploiters can do that too. It’s just a matter of whether they’re as good as these people at the haker conference where they have a weenie measuring contest every year.

    And why are they picking on Apple for Webkit? It’s Google the lead on Webkit these days?

    • scoob101

      Nobodys picking on Apple. They got pwned first. Simple as that.

      The only thing that keeps the illusion of security alive on Mac systems is that over 90% of people dont use one. Nobody is interested in writing exploits for systems the majority of people dont use – its simply not cost effective.

      • Gru

        ah yes. keep parroting the same old “it’s the market share” myth. Keeeeeep it up…. eyeroll If that’s always the case, why aren’t there exploits all over the place for the iPhone? You know, the most popular smartphone on the planet. Certainly no market share gap there. Or the iPad.. where Apple has a 90% market share of the tablet market. Should be exploits all over the place then.

        • scoob101

          I think you`ll find that both Android and Blackberry have more market share than iphone in the smartphone market.

          How exactly is iOS a direct comparison to OSX? Comparing apples and oranges doesn`t work. were talking about Safari running on OSX. Nothing more.

      • Anonymous

        You buying into that old chestnut, that OS X is only secure because of obscurity? Sorry scoob, but you’re out on a limb with that claim. It’s only part of the reason. Like in most aspects of life, it’s not a black and white issue.

        No Trojan for the Mac has ever succeeded in propagating en masse. Only idiots who download illegal software so far suffer. There’s not one single virus in the wild for Mac – yet.

        You pretend to tell us there’s not one single person out of seven billion who wouldn’t savor the notoriety of making the first one that actually did some damage? Especially with all the animus against Apple these days for being the most valuable tech company on the planet?

        I’m not saying it’s not possible. Only people like this who are particularly interested in the subject have figured out how to exploit Safari – with the help of months of research – and luckily their ambitions are plugging holes, not exploiting them. Though ego is certainly a big part of this event every year. But that’s okay, they serve the security concerns of all at the same time.

        • scoob101

          No, OSx is not more secure because of obscurity, it simply sees less exploits for the vulnerabilities it has.

          Exploits are created pretty much exclusivley for financial gain, and always take the path of least resistance. Why on earth would you target just 8% of all desktops on the internet, when you can target the other 90% (40% of which are on xp and are straightforward to compromise with limited technical knoweldge)

          It really is as simple as that. You can deny it, but youre just avoiding the simple fact that in this browser test, Safari came last. Basing your securtiy approach on obscurity is madness.

    • Seanbrunett

      yes, Apple is highlighted in the story because their browser was hacked before anybody elses. If IE, Chrome, or FF had been pwned first, they would have been the center of the story. Chrome usually gets a lot of attention because it still hasn’t been hacked

  • Gru

    It was made clear that the version they hit was NOT the now-current 5.0.4…it was an older 5.0.3. The guy that had hacks for Chrome didn’t make it in.. and Google had been pushing out updates to fix holes recently anyway.

    These guys were working on the hole for WEEKS. This happens every year at pwn2own.. and the version on the target machine is frozen like 3 weeks before.

    • scoob101

      2 weeks, to be exact. And it utilised a single, zero-day vulnerability.

      As a comparison, the IE8 hack took 6 weeks to develop, and needed to utilise 3 exploits in tandem in order to function.

      I aint saying that Safari is full of gaping holes; but compared to the much maligned IE8, its not looking best of breed by a long shot.


    • Robert

      It was also made clear that the winners wouldn’t receive their prize — even with a successful hack of 5.0.3 — unless the same vulnerability still existed (i.e. hadn’t been patched) in the most current version of Safari (i.e. 5.0.4).

      They were awarded the prize. What’s that tell you?