Thursday, March 10, 2011

OS X And Safari First Casualty At Pwn2Own Hacking Contest


The annual “Pwn2Own” contest has just kicked off at CanSecWest, and Apple was the first to fall. A fully-patched Snow Leopard machine running Safari was made to launch an application (Calculator) and write a file, just from visiting a specific web page. It didn’t even crash the browser!

The exploit is in Webkit, meaning it could potentially apply to iOS browsers as well, though that has yet to be demonstrated. And to be fair, most of the other browser/OS combos will get taken down over the next couple days as well.

"I have an exploit all ready to go, and now it's just sitting in my bag,” said Charlie Miller, a three-time Pwn2Own winner, shortly after Bekrar took this year's prize. “You'd think Apple would be concerned about it.”

Miller said he's had the working attack for more than nine months now. Even after Apple patched a whopping 62 Safari security bugs just hours before the contest started, Miller's exploit still worked, he said.

Is anyone surprised?  Apple is always the first to fall. And, yes, MS also fell to the hackers but it took longer. One person that was at the contest said that Safari was cracked in "5 seconds".  Go ahead Apple fans, keeps saying that Apple is more secure.


  1. Which system was cracked first has nothing to do with which is most vulnerable. All of these exploits are prepared weeks in advance, and took a lot more than 5 seconds to develop.

    Chrome wasn't cracked at all-- not necessarily because it was more secure, but because the registered entrants for that browser didn't attend.

    All the embarrassing proof of concept exploits in the world won't change the fact that for the foreseeable future, in the real world (where most of us reside), Apple operating systems are less likely to to be compromised than the more popular OSs.

    As I've said before, I hope the haters succeed in slowing Apple's growth in popularity. I like being the member of an exclusive club which not only enjoys the most stylish, easy to use devices, but also benefits from security though obscurity.

    The worst thing that could happen would be for Apple to actually achieve the kind of complacent monopoly that Microsoft became.

  2. Actually, the system that got hacked IS ABSOLUTELY the most vulnerable. I think it's the definition of "the most vulnerable". If you want to slow Apple's growth, why not join the intelligent users of the real world and bash it yourself, like you said, it will only help. I'm sure if Jobs was offered a 90% market share for computers he would take it. He's only concerned with money and a product that looks pretty, that's it.

  3. Seriously, Bret are you blind, stupid or both? You can't see that Apple is less secure? Really? It's OK to admit it you know. It's almost comical how hard proof is presented before you from several reputable sources and you just deny it. For someone that seems to like Apple products so much you wind up on this site a lot. Why don't you start an "Apple is Great" blog or something and spew your nonsense there?

  4. Even allowing that Apple is more vulnerable, "less secure" is not necessarily "less safe". For now, I'm content to accept the risk of Apple's potential security failings over the actual exploits that adversely affect users of other more popular systems.

    As for why I post here, I simply point out most of the anti-Apple articles involve FUD of one sort or another. There is no need for an "Apple is Great" site, as suffices.

    I accept that Apple's products are not perfect and do not meet everyone's needs. But Apple's success is not due mainly to fashion, clever advertising, Steve Jobs' reality distortion, or the stupidity of brainwashed lemonade-drinking sheep (as is often accused), but rather by consistently getting good reviews, positive word of mouth, and providing effective hands-on demos at retailers.

    Hard as it is for haters to understand, Apple products actually do meet the needs and desires of large numbers of people. Every product involves tradeoffs and has its pros and cons. Apple has balanced these very successfully.

    Apple regularly issues security updates for its software. While it can be argued that they could do a better job of patching known flaws promptly, the bottom line is that we Apple users have not suffered a fraction of the malware that others have.

  5. Good reviews? Not from what I've seen. All I hear about is lack of options and bad customer service. I don't just listen to the fans that can't live without their iDevice. I actually read the forums and found plenty of Apple owners complaining about their precious products.

    Answer this for me (please don't avoid the question)
    What would you rather have 1. A product that can do a few things and do them well at a cost of $300 and limits you to what you can see and hear and without the (easy) ability to modify it, or 2. A product that does a lot more things, does them well and does not have any restrictions for $80?

  6. I never said Apple was perfect. With millions of customers, some are going to have problems. Of course you will hear about them if you frequent Apple forums. People go there expressly to seek solutions and complain. It's hardly a representative sample though. I don't think Apple has a higher incidence of complaints than other manufacturers. Do you imagine that other companies are flawless? In fact, Apple comes out at the top of user satisfaction surveys time and again. These surveys are based on representative samples.

    I'll be happy to answer your hypothetical question. Based on your criteria, I'd probably go for option 2. But what does this have to do with Apple? Are there really two products with that great a disparity in price, that really do things equally well? Can you give me an example?

    Also, it's worth mentioning that products that are "easy to modify without restrictions" may be well suited for you and I, but cause no end of problems for naive users who don't know what the hell they are doing (which turns out to be a lot of people).

    Just so you know, I own a MacBook Pro and an iPhone 4, rather than a Windows laptop and some other brand of feature phone. I am very happy with these, don't begrudge their cost. Neither do I find myself wishing for more options. I can't justify a tablet for my own needs, but if I was in the market, I'd seriously consider an iPad 2.

    That's me. Everyone else, by all means buy whatever fits your priorities.

  7. Well thank you for proving my point. Without seeing the Apple on the back you would pick the same product I did. I bought a 16gb Archos MP3/Video player and it cost me about $79 and works perfectly. The comparable 16 iPod nano was $279. I believe they both have the same features but the Archos has an SD card slot. Sounds to me like the Apple logo alone jumps the price up a whopping $200.

    I realize I said $300 earlier, my apologies.

  8. I had posted a longer reply which seems to have gotten lost. But in short, I feel that that while the Archos and iPod nano share similar specs, they are qualitatively different. If you believe that Apple's prices are unjustified, so be it. Everyone makes their own value judgement.

  9. Ok, sounds good to me. I guess no one could show me what a regular iPod can do that my Archos cannot. Oh well.

  10. I'm not familiar with the Archos player, but I can hazard a few guesses: iPod has a scroll wheel interface which many consider superior. iPod has a shuffle feature that the Archos may lack. iPod may be slimmer yet have longer playing time. iPod may come in more colors than the Archos. iPod can be serviced at a local Apple store. Some people actually like iTunes. There are many more accessories compatible with the iPod.

    None of these things may sway your opinion, but i'll bet they help explain why the iPod outsells the Archos despite the unfavorable price differential.

  11. Well, the scroll wheel, the colors and the slight difference in size are aesthetics really. I was looking for actual features. My Archos does have shuffle and I don't listen to it 24/7 so I rarely have to charge the battery. There's also a feature for displaying the lyrics of a song but I've only used it once or twice. I'm still not seeing anything worth $200.

  12. Like I said, everyone has their priorities. Putting aside those attributes of the iPod that you don't value as "features"... For some the iPod is simply an affordable luxury, and I suppose a bit of a status symbol. It fulfills the essential functions with style, and provides pride of ownership.

    Many people also routinely buy expensive name brands like Levis and Nike, when they could scrimp and get similar "no-name" items for a fraction of the price. Sometimes the cheap stuff is shoddy, while other times it is actually of similar quality. You often don't really know until it is too late. Careful shopping takes effort and expertise. Buying the name brand is like a guarantee of a certain level of quality.

    Currently, Apple has a good reputation (at least outside of hater circles). Apple has clawed their way back from insignificance, earning their reputation for quality and innovation the hard way by releasing a stream of well received products, and is now capitalizing on it. Their days of being labeled "beleaguered" and "going out of business any day now" are long behind. They make a good profit, allowing for future R&D, and assuring customers that there will be continuous evolution and support in future years.

    Apple customers generally feel that they are receiving their money's worth, for both the tangible features and the intangibles. I don't expect to convince you that the iPod would have been a better purchase . It undoubtedly isn't-- for you. Obviously, your values differ, and that is why companies like Archos exist.

  13. Apple doesn't do R&D! They just take something, copy it, close it, make it shiny and pricey. The only R&D apple does is in marketing!

    Like you say "Apple customers generally feel that they are receiving their money's worth,"
    ... That's exactly apple marketing. They created a need: you need an ipod in order to be someone, still quoting you, "For some the iPod is simply an affordable luxury, and I suppose a bit of a status symbol".
    So basically, if someone buys an apple device it's just to show off, in order to fit in. So yes, you are right, they feel like being on top of the hype wave with their ipod, ipad, macbook, and so on.
    But that brings me 2 questions: do you need a gadget in order to fit in?
    The second question is: how far can marketing go?

    And Brett, Levi's does make the best jeans (they do, they are high quality).

  14. So basically, Apple users choose Status over Substance. I understand.

    Read how Android is DESTROYING Apple.

  15. Hmmm. What a sad little website full of haters...

    Well argued Brett.

    The subject of the original posting:
    "Is anyone surprised? Apple is always the first to fall. And, yes, MS also fell to the hackers but it took longer. One person that was at the contest said that Safari was cracked in "5 seconds". Go ahead Apple fans, keeps saying that Apple is more secure."

    It's important to note that as Brett pointed out this is well planned in advance. The point is that Apple IS more secure. I still don't hold much belief in the security through obscurity myth. I've had nigh on 27 years of Mac experience and never lost a day to a virus or trojan. Must be due to sheer damned luck then, mustn't it?

    Have to break my comment down into sections as it complained that it was too long.

  16. Anonymous II:
    "Read how Android is DESTROYING Apple."
    Hmmm. Destroying? Really? Apple's market share "flattened" in a rapidly growing market? You realize what that means, yes? It means Apple is basically selling as many phones as it makes. That really doesn't sound like destroyed to me. Also Apple currently has something in the region of 50% of the profit in the smartphone market. I wish I could be destroyed in such a way. The problem is that you're letting your rabid anti-fanboyism getting in the way of, uh huh, facts.

    Facts. No single other smartphone outsells the iPhone. Not one.
    Facts: There are far more iOS device registrations a day than you realize.
    Facts: No one has managed to duplicate Apple's ecosystem. At all.

  17. Anonymous I:
    "Apple doesn't do R&D! They just take something, copy it, close it, make it shiny and pricey."
    Yes. Would you care to explain then why last year when all those opposing tablets were shown at CES none of them came out after Apple's iPad announcement... HP shipped 10,000 copies of their slate device around Christmas time but I suspect that was under some kind of contractual obligation to Microsoft, it being such a big part of the Microsoft keynote speech.

    Oh and the pricey thing? If Apple are so pricey then how come the Xoom was like $80 more for a similarly spec'd machine? 32 gigs, 3g, wi/fi - and no you can't count SD card - it can't be used at present and you can't say "it's got 4G" because the shipping product still doesn't have it yet.

    Notice how all the competing tablets are coming out with 7" screens? For convenience they say. They neglect to point out that it is also cheaper. They tell you one thing but mean another and you say that Apple is all marketing?

    The iPad has shown that Apple can and does compete on price. In fact with the launch of the iPad 2 and Apple securing continuing hardware supplies the competition is going to be hard pressed to catch up.

    "The only R&D apple does is in marketing!"
    Yes, I could name many things that you take for granted that didn't exist before Apple "copied them". So say "Apple does no R&D and only copy: but I call bullshit. So do you to be honest otherwise you'd have bothered to enter a name and man up about your arguments rather than post anonymously.

  18. First of all, my name happens to be Brett and, last time I checked, I'm not a clone.

    Ratty, as far as the Pwn2Own contest goes, exploits for ALL THREE OS were planned well in advance so that levels the playing field. The FACT is that Safari on a MAC FELL FIRST! Can you even read? That proves that it is the least secure. Is it the least attacked? Yes probably I'll give you that but it's not the most secure. It sounds to me like you are a jealous little Mac fan boy because PC's can do more for less money.

  19. The fact was that the Mac hardware is the most desirable. The one that didn't come with hardware didn't fall. People mysteriously "dropped out" rather than go for the $20k that Google put up at the last minute.

    But I say again. Which of these are in the wild? Which of the mobile OS's actually requires anti-virus and anti-fishing software due to lack of control of the market place?

    I don't get the "Macs do less" for more money. My Mac can boot OSX, Linux and Windows. Legally. How is that doing less? I don't use any of the machines for games and buying the Mac has made me more productive and so I have easily covered the cost of purchase.

    The "fact" that the Mac fell first has the same actual consequence as it not falling at all. The exploit gets reported and things get fixed.

  20. Brett - I see you repsonded to me calling you out as a clone - which was in the other thread. As you are here or if you prefer... could you respond in the other thread the answer to the name of this $100 clone you bought that outdoes the iPad please

  21. Looks like your cage has been rattled pretty bad Rat-boy.


    It's funny because it's true.

  22. The tenor of discussion has hit rock bottom. In order to fully appreciate Anonymous' preceding comment, one should imagine the "hee hawww" of a braying jackass, or a child's singsong "Nyahh Nyahh Nyahh Nyahh Nyahh"