“Everybody’s Web software got ‘pwned’ at the Pwn2Own hackers conference this week: Apple’s Safari, Google’s Chrome, Microsoft’s Internet Explorer, Mozilla’s Firefox and Adobe’s Reader and Flash,” Philip Elmer-DeWitt reports for Fortune.
“Safari was defeated by Liang Chen, one of a pair Chinese Keen Team hackers, using a heap-overflow-and-sandbox-bypass combination that took three months to perfect,” P.E.D. reports. “‘For Apple, the OS is regarded as very safe and has a very good security architecture,’ Chen told ThreatPost’s Michael Mimoso. ‘Even if you have a vulnerability, it’s very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems.'”
Read more in the full article here.
MacDailyNews Take: “The security in OS X is higher than other operating systems.” Of course it is.
[Thanks to MacDailyNews Reader “David E.” for the heads up.]
Related articles:
Microsoft risks even further Windows security woes by retiring XP – March 10, 2014
Massive data breach: Target’s Windows-based PoS terminals were infected with malware – January 13, 2014
The Microsoft Tax: Malicious worm on Skype lets hackers hold Windows PCs for ransom; Macintosh unaffected – October 10, 2012
The Microsoft Tax: Critical Windows flaw affects millions of high-value PCs with self-replicating attacks – March 13, 2012
The Microsoft Tax: Virus infects Windows PC control systems of US Predator and Reaper drones – October 8, 2011
The Microsoft Tax: ‘Indestructible’ botnet attacks millions of Windows PCs; Macintosh unaffected – July 1, 2011
The Microsoft tax: Stuxnet computer worm infects Microsoft’s porous Windows OS; Mac unaffected – September 27, 2010
The Microsoft Tax: New undetectable Windows trojan empties bank accounts worldwide; Mac unaffected – August 11, 2010
The Microsoft Tax: Windows zero-day flaw exposes users to code execution attack; Mac unaffected – August 09, 2010
The Microsoft Tax: Critical flaw lets hackers take remote control of Windows PCs; Mac unaffected – August 07, 2010
The Microsoft Tax: New attack bypasses every Windows XP security product tested; Mac unaffected – May 11, 2010
The Microsoft Tax: McAfee correctly identifies Windows as malware; Macintosh unaffected – April 21, 2010
The Microsoft Tax: DNS Windows PC Trojan poses as iPhone unlock utility; Mac and iPhone unaffected – April 15, 2010
The Microsoft Tax: 1-in-10 Windows PCs still vulnerable to Conficker worm; Macintosh unaffected – April 08, 2010
The Microsoft Tax: 74,000 Windows PCs in 2,500 companies attacked globally; Mac users unaffected – February 18, 2010
The Microsoft Tax: Widespread attacks exploit Internet Explorer flaw; Macintosh unaffected – January 22, 2010
The Microsoft Tax: Windows 7 zero-day flaw enables attackers to cripple PCs; Macintosh unaffected – November 16, 2009
The Microsoft Tax: Windows 7 flaw allows attackers to remotely crash PCs; Macintosh unaffected – November 12, 2009
The Microsoft Tax: Windows virus delivers child porn to PCs, users go to jail; Mac users unaffected – November 09, 2009
The Microsoft Tax: Worms infest Windows PCs worldwide; Mac users unaffected – November 02, 2009
The Microsoft Tax: Banking Trojan horse steals money from Windows sufferers; Mac users unaffected – September 30, 2009
The Microsoft Tax: Serious Windows security flaw lets hackers to take over PCs; Macintosh unaffected – July 07, 2009
The Microsoft Tax: Windows Conficker worm hits hospital devices; Macintosh unaffected – April 29, 2009
The Microsoft Tax: Conficker virus begins to attack Windows PCs; Macintosh unaffected – April 27, 2009
The Microsoft Tax: Conficker’s estimated economic cost: $9.1 billion – April 24, 2009
I want to know how well microshit did ?😜😜
Dan Goodin at Ars Technica is keeping track of the scores:
http://arstechnica.com/author/dan-goodin/
The first article:
http://arstechnica.com/security/2014/03/pwn2own-the-perfect-antidote-to-fanboys-who-say-their-platform-is-safe/
…successful hacks of the Internet Explorer, Firefox, and Safari browsers and Adobe’s Flash and Reader applications.
. . .
Update: Vupen has reportedly pwned Chrome as well.
They’re not bothering with Opera, but since Chrome was hacked, it’s likely the same hack would apply to Opera.
Where I’d have to disagree with Keen Team regarding Safari is the fact that Safari 6.x, which is still active on OS X 10.8 on down, is still using old SSL technology. That’s bad and potentially dangerous. Only Safari 7.x, which is only on OS X 10.9 Mavericks, is using state of the art TLS 2.0.
What’s good is that Apple’s old Safari SSL technology has been patched up to be good enough such that it rebuffs current SSL exploits in the wild. I just wish we could skip the patchy stuff and catch up with the modern world.
Hey Derek, BackBlaze looks excellent.
Not only that but IE and FireFox fell the first day. Chrome and Safari made it to the second day. Chrome fell twice on second day, Safari only once, (that I know of).
IE is a joke for any kind of security, my grandmother could hack it.
Here are the browser hack prizes given out so far, as per a comment by AlieP at Ars Technica:
Google Chrome on Windows 8.1 x64: $100,000
Microsoft Internet Explorer 11 on Windows 8.1 x64: $100,000
Mozilla Firefox on Windows 8.1 x64: $50,000
Apple Safari on OS X Mavericks: $65,000
The bounty scales tell us a lot. I use Firefox as my main browser and I am not happy that the it has the lowest bounty implying it is easiest to compromise, and the fact that it been compromised by 4 separates teams using different exploits according the pwn2own results.
You’re assuming the lower the bounty, the easier it is to compromise. It may simply be that the bounties relate to the relative number of users of each browser, as in what is the likelihood someone would be using XYZ browser conducing secured transactions, etc.
I didn’t write what was in italics. It was a continuation of a quote from a comment after Goodin’s article. I have no personal knowledge of why they vary the bounties.