214Views47Replies

Author Options:

Warning to all Safari users..... Answered

Picture of

Pwn2Own hacker: Apple Safari is 'easy pickings'


Charlie Miller, the security researcher who won last year's Pwn2Own hacker contest, is predicting that Apple's Safari browser will be the easiest target this year.

In a note posted on the popular Daily Dave mailing list, Miller describes Safari as "easy pickin's" and forecasts that at least four zero-day Safari flaws will be used during the contest at CanSecWest later this month...

  • Safari: hacked by 4 different people. Easy pickin's as usual.
  • Android: hacked by 1 person. Not too tough but no one owns one.
  • IE8, Firefox: Survive unscathed. The bugs to exploit equation is too hard for $5k.
  • iPhone, Symbian: Survive due to non-executable heap.
  • Blackberry, Windows Mobile, Chrome: I don't know enough to say anything intelligent. That said, they're probably hard/obscure and so survive.

Last year, Miller exploited a Safari flaw to hijack a fully patched MacBook Pro machine. He is also known for launching successful attacks against Apple's iPhone and Google's Android platform.

Safari predicted to be the easiest target this year...

48 Replies

user
Goodhart (author)dombeef2009-03-12

Just make sure it stays up to date if you use it. ;-)

Select as Best AnswerUndo Best Answer

user
starwing123 (author)2009-03-14

Hackers can get by anything no matter how hard people try to stop them. As long it's connected to the internet. It's just how much time and effort they are willing to spend.

Select as Best AnswerUndo Best Answer

user
Goodhart (author)starwing1232009-03-15

Well, first off, those that hack, are not necessarily malicious, so if you mean malevolent hackers, known as Crackers, yes, there are ways to prevent pretty much anything except cracking from the actual physical location of the computer, but in nearly every one of those cases, it causes great inconvenience to the owner of the computer also. However, it really DOES have more to do with where one goes, and what one opens, then anything else; in the long run.

Select as Best AnswerUndo Best Answer

user
tarzioo (author)2009-03-13

what is a good software for preventing this? Is macscan good? I currently use clamXav but doubt it really does anything.

Select as Best AnswerUndo Best Answer

user
Goodhart (author)tarzioo2009-03-14

A good firewall (like from CheckPoint) is a must. But the most important thing after having all the safety checks in place, is where one surfs, and what one opens (like what attachments and whose emails). The best thing one can do is to keep everything updated (patched). There are programs out there for those not savvy to computers, that will check to make sure you have the latest version and patches.

Select as Best AnswerUndo Best Answer

user
tarzioo (author)Goodhart2009-03-14

oh awesome! I will definitely check it out, thanks!

Select as Best AnswerUndo Best Answer

user
Goodhart (author)tarzioo2009-03-14

Tarzioo, the following is one I use to keep my programs up to date and patched....

Secunia PSI

Select as Best AnswerUndo Best Answer

user
Plasmana (author)2009-03-06

Do you mean the hackers can get into people's computer via Safari?

Select as Best AnswerUndo Best Answer

user
fwjs28 (author)Plasmana2009-03-06

yeppers...there was (possibly still is) a way to hijack via quicktime and such programs through their update utility(i think)...never think your safe...

Select as Best AnswerUndo Best Answer

user
Plasmana (author)fwjs282009-03-10

Well, I am safe (for now). With help of little snitch, I now have manual control what information can come or leave my computer. In other words, I can deny my information going to a place with a very strange names and numbers together and allow my information pass to to a trusted place. It is hard work, but is is better than strangers reading your personal information.. :-)

Select as Best AnswerUndo Best Answer

user
fwjs28 (author)Plasmana2009-03-10

the only safe computer is a computer that doesn't exist, while this is an exageration, it is very true....whats the program called?

Select as Best AnswerUndo Best Answer

user
Goodhart (author)Plasmana2009-03-06

Until it is patched, and then it is patched until another weakness is found....

Select as Best AnswerUndo Best Answer

user
lemonie (author)2009-03-05

Safari may be the easiest, but is it likely to attract most attention? While IE still has the largest share surely it's still the biggest target?

L

Select as Best AnswerUndo Best Answer

user
11010010110 (author)lemonie2009-03-05

yea thats more likely but anyway the easiest way to infect a large amount of users is making them download and run stuff volunteerly. no os and no surfboard and no antivirus can protect a dumb user (unless the computer or os is so limited that its technically impossible to run custom stuff on it - thats not the case with most devices)

Select as Best AnswerUndo Best Answer

user
Goodhart (author)110100101102009-03-05

As Ron White would say: you can't fix stupid....

Select as Best AnswerUndo Best Answer

user
fwjs28 (author)Goodhart2009-03-10

YESS!....so true...so very true

Select as Best AnswerUndo Best Answer

user
lemonie (author)110100101102009-03-05

Oh yes, circulating junk-e-mail for one. Embedding stuff in web-pages downloads and video clips is something else though, that's more like "keep to well-lit areas of the 'net". And you don't have to be so dumb to get caught by that sort of thing. L

Select as Best AnswerUndo Best Answer

user
11010010110 (author)lemonie2009-03-05

downloads and video clips are actually something else. if i download a video clip and open it it opens in the video player and not as executable sure if my player has appropriate flaw (that can somehow make it execute binary code hidden in the video) i can get infected from it but its not really tricking me to run stuff on the computer

Select as Best AnswerUndo Best Answer

user
lemonie (author)110100101102009-03-05

Some things do embed in video clips (I'm not going to research this now but I'm fairly confident it's true) This does count as tricking you to run stuff on the computer L

Select as Best AnswerUndo Best Answer

user
11010010110 (author)lemonie2009-03-05

kinda like the 25th frame effect ?

Select as Best AnswerUndo Best Answer

user
NachoMahma (author)110100101102009-03-05

. The 25th frame is a subliminal effect. L is talking about malware embedded in videos and other files. They cause the media player (or word processor, &c;) to do bad things.

Select as Best AnswerUndo Best Answer

user
11010010110 (author)NachoMahma2009-03-05

i would not call an exploited video tricking you to run stuff on the computer

tricking is when it actually tricks you to do something

what you mean is not tricking the user - its actually exploiting secuity issues of the computer and not its user

i expect my player to be secure. so i dont think twice before i open video files in it. i dont intentionally run stuff i downloaded and dont trust

Select as Best AnswerUndo Best Answer

user
lemonie (author)110100101102009-03-05

(I forget, but you may be right there) L

Select as Best AnswerUndo Best Answer

user
Goodhart (author)lemonie2009-03-05

Yes, but FF is always growing, and there are those that prefer easier targets over more widely used. Security by obscurity doesn't work.

Select as Best AnswerUndo Best Answer

user
lemonie (author)Goodhart2009-03-05

"Miller exploited a Safari flaw" - the flaw will be fixed. Just as Microsoft fixes it's flaws when they are exposed. Using Safari doesn't put a person at any greater risk in real terms (over a reasonable period of time). L

Select as Best AnswerUndo Best Answer

user
Goodhart (author)lemonie2009-03-05

Yes, it is as gmjhowe said, it is the user that creates most of the risk...online.

Select as Best AnswerUndo Best Answer

user
gmjhowe (author)2009-03-05

Well, if you read the full story, they didn't 'hack' it the quickest.

They used an existing security flaw, hence why more people managed it. The bug was already known. Its like hacking an OS, when you read about someone who had hacked the password.

Despite that, i do admit that safari is not perfect. I still prefer the security of Mac os x in general. Firevault is a great feature that mac has had for many years, and is finally being copied by windows.

note - i just wanted to comment and say my thoughts, i will not respond to any replies, as i don't wish to have windows fanboys flaming me

Select as Best AnswerUndo Best Answer

user
Labot2001 (author)gmjhowe2009-03-05

WTF WINDOWS > MACS LOL U SUCK MAC FANBOY LOL

(jk)

Select as Best AnswerUndo Best Answer

user
Goodhart (author)Labot20012009-03-05

gmjhowe, shall we flag him? or flog him LOL

Select as Best AnswerUndo Best Answer

user
Plasmana (author)Goodhart2009-03-06

I would flag him, but because he said (jk), I am not too sure if I should do it...

Select as Best AnswerUndo Best Answer

user
Derin (author)Labot20012009-03-06

macs > windows (yes,i've tried a mac but i use windows)

Select as Best AnswerUndo Best Answer

user
Goodhart (author)gmjhowe2009-03-05

'Tis ok ;-) but you need to pick up a copy of The 2600 now and then ;-) One of the truest things ever said about anyone online is: the system believed to be completely secure is probably one of the most vulnerable.

Select as Best AnswerUndo Best Answer

user
gmjhowe (author)Goodhart2009-03-05

Which is why although i am happy to have a secure system. A bigger truth is its not the system that makes a computer secure or vulnerable, Its the user.

Select as Best AnswerUndo Best Answer

user
Goodhart (author)gmjhowe2009-03-05

Indeed, which is why my statement is so true.....you definitely GOT IT :-)

Select as Best AnswerUndo Best Answer

user
Doctor What (author)2009-03-05

Why are so many people switching to macs? Aarrgh! (don't answer that question, I know why)

Select as Best AnswerUndo Best Answer

user
Goodhart (author)Doctor What2009-03-05

Miller exploited a Safari flaw to hijack a fully patched MacBook Pro machine.

Select as Best AnswerUndo Best Answer

user
DJ Radio (author)2009-03-05

I have Firefox and iphone. Im safe.

Select as Best AnswerUndo Best Answer

user
Goodhart (author)DJ Radio2009-03-05

Well, as noted elsewhere, those that feel secure, probably are the least secure...normally, users, are the main problem...

Select as Best AnswerUndo Best Answer

user
NachoMahma (author)Goodhart2009-03-05
. Yep. The cost of surfing is eternal vigilance.

  • Apologies to Mr. Jefferson

Select as Best AnswerUndo Best Answer

user
DJ Radio (author)Goodhart2009-03-05

well, I think the main problem is my mom. She actually fell for a virus scan scam. Luckily she has a limited account and I stopped it.

Select as Best AnswerUndo Best Answer

user
KentsOkay (author)2009-03-05

GOOGLE HUSSLE AND GET CHROME FOR MAC OUT ALREADY!!

Select as Best AnswerUndo Best Answer

user
Goodhart (author)KentsOkay2009-03-05

Last year, Miller exploited a Safari flaw to hijack a fully patched MacBook Pro machine.

Select as Best AnswerUndo Best Answer