254Views47Replies

Author Options:

Warning to all Safari users..... Answered

Pwn2Own hacker: Apple Safari is 'easy pickings'


Charlie Miller, the security researcher who won last year's Pwn2Own hacker contest, is predicting that Apple's Safari browser will be the easiest target this year.

In a note posted on the popular Daily Dave mailing list, Miller describes Safari as "easy pickin's" and forecasts that at least four zero-day Safari flaws will be used during the contest at CanSecWest later this month...

  • Safari: hacked by 4 different people. Easy pickin's as usual.
  • Android: hacked by 1 person. Not too tough but no one owns one.
  • IE8, Firefox: Survive unscathed. The bugs to exploit equation is too hard for $5k.
  • iPhone, Symbian: Survive due to non-executable heap.
  • Blackberry, Windows Mobile, Chrome: I don't know enough to say anything intelligent. That said, they're probably hard/obscure and so survive.

Last year, Miller exploited a Safari flaw to hijack a fully patched MacBook Pro machine. He is also known for launching successful attacks against Apple's iPhone and Google's Android platform.

Safari predicted to be the easiest target this year...

Discussions

0
dombeef
dombeef

10 years ago

WHAT!

0
Goodhart
Goodhart

Reply 10 years ago

Just make sure it stays up to date if you use it. ;-)

0
dombeef
dombeef

Reply 10 years ago

Ok thanks!

0
starwing123
starwing123

10 years ago

Hackers can get by anything no matter how hard people try to stop them. As long it's connected to the internet. It's just how much time and effort they are willing to spend.

0
Goodhart
Goodhart

Reply 10 years ago

Well, first off, those that hack, are not necessarily malicious, so if you mean malevolent hackers, known as Crackers, yes, there are ways to prevent pretty much anything except cracking from the actual physical location of the computer, but in nearly every one of those cases, it causes great inconvenience to the owner of the computer also. However, it really DOES have more to do with where one goes, and what one opens, then anything else; in the long run.

0
tarzioo
tarzioo

10 years ago

what is a good software for preventing this? Is macscan good? I currently use clamXav but doubt it really does anything.

0
Goodhart
Goodhart

Reply 10 years ago

A good firewall (like from CheckPoint) is a must. But the most important thing after having all the safety checks in place, is where one surfs, and what one opens (like what attachments and whose emails). The best thing one can do is to keep everything updated (patched). There are programs out there for those not savvy to computers, that will check to make sure you have the latest version and patches.

0
tarzioo
tarzioo

Reply 10 years ago

oh awesome! I will definitely check it out, thanks!

0
Goodhart
Goodhart

Reply 10 years ago

Tarzioo, the following is one I use to keep my programs up to date and patched....

Secunia PSI

0
Plasmana
Plasmana

10 years ago

Do you mean the hackers can get into people's computer via Safari?

0
fwjs28
fwjs28

Reply 10 years ago

yeppers...there was (possibly still is) a way to hijack via quicktime and such programs through their update utility(i think)...never think your safe...

0
Plasmana
Plasmana

Reply 10 years ago

Well, I am safe (for now). With help of little snitch, I now have manual control what information can come or leave my computer. In other words, I can deny my information going to a place with a very strange names and numbers together and allow my information pass to to a trusted place. It is hard work, but is is better than strangers reading your personal information.. :-)

0
fwjs28
fwjs28

Reply 10 years ago

the only safe computer is a computer that doesn't exist, while this is an exageration, it is very true....whats the program called?

0
fwjs28
fwjs28

Reply 10 years ago

o...i see... :P

0
Goodhart
Goodhart

Reply 10 years ago

Until it is patched, and then it is patched until another weakness is found....

0
11010010110
11010010110

Reply 10 years ago

yea thats more likely but anyway the easiest way to infect a large amount of users is making them download and run stuff volunteerly. no os and no surfboard and no antivirus can protect a dumb user (unless the computer or os is so limited that its technically impossible to run custom stuff on it - thats not the case with most devices)

0
Goodhart
Goodhart

Reply 10 years ago

As Ron White would say: you can't fix stupid....

0
fwjs28
fwjs28

Reply 10 years ago

YESS!....so true...so very true

0
lemonie
lemonie

Reply 10 years ago

Oh yes, circulating junk-e-mail for one. Embedding stuff in web-pages downloads and video clips is something else though, that's more like "keep to well-lit areas of the 'net". And you don't have to be so dumb to get caught by that sort of thing. L

0
11010010110
11010010110

Reply 10 years ago

downloads and video clips are actually something else. if i download a video clip and open it it opens in the video player and not as executable sure if my player has appropriate flaw (that can somehow make it execute binary code hidden in the video) i can get infected from it but its not really tricking me to run stuff on the computer

0
lemonie
lemonie

Reply 10 years ago

Some things do embed in video clips (I'm not going to research this now but I'm fairly confident it's true) This does count as tricking you to run stuff on the computer L

0
11010010110
11010010110

Reply 10 years ago

kinda like the 25th frame effect ?

0
NachoMahma
NachoMahma

Reply 10 years ago

. The 25th frame is a subliminal effect. L is talking about malware embedded in videos and other files. They cause the media player (or word processor, &c) to do bad things.

0
11010010110
11010010110

Reply 10 years ago

i would not call an exploited video tricking you to run stuff on the computer

tricking is when it actually tricks you to do something

what you mean is not tricking the user - its actually exploiting secuity issues of the computer and not its user

i expect my player to be secure. so i dont think twice before i open video files in it. i dont intentionally run stuff i downloaded and dont trust

0
lemonie
lemonie

Reply 10 years ago

(I forget, but you may be right there) L

0
Goodhart
Goodhart

Reply 10 years ago

Yes, but FF is always growing, and there are those that prefer easier targets over more widely used. Security by obscurity doesn't work.

0
lemonie
lemonie

Reply 10 years ago

"Miller exploited a Safari flaw" - the flaw will be fixed. Just as Microsoft fixes it's flaws when they are exposed. Using Safari doesn't put a person at any greater risk in real terms (over a reasonable period of time). L

0
Goodhart
Goodhart

Reply 10 years ago

Yes, it is as gmjhowe said, it is the user that creates most of the risk...online.

0
gmjhowe
gmjhowe

10 years ago

Well, if you read the full story, they didn't 'hack' it the quickest.

They used an existing security flaw, hence why more people managed it. The bug was already known. Its like hacking an OS, when you read about someone who had hacked the password.

Despite that, i do admit that safari is not perfect. I still prefer the security of Mac os x in general. Firevault is a great feature that mac has had for many years, and is finally being copied by windows.

note - i just wanted to comment and say my thoughts, i will not respond to any replies, as i don't wish to have windows fanboys flaming me

0
Labot2001
Labot2001

Reply 10 years ago

WTF WINDOWS > MACS LOL U SUCK MAC FANBOY LOL

(jk)

0
Goodhart
Goodhart

Reply 10 years ago

gmjhowe, shall we flag him? or flog him LOL

0
Plasmana
Plasmana

Reply 10 years ago

I would flag him, but because he said (jk), I am not too sure if I should do it...

0
Labot2001
Labot2001

Reply 10 years ago

It was a genuine jk.

0
Derin
Derin

Reply 10 years ago

macs > windows (yes,i've tried a mac but i use windows)

0
Goodhart
Goodhart

Reply 10 years ago

'Tis ok ;-) but you need to pick up a copy of The 2600 now and then ;-) One of the truest things ever said about anyone online is: the system believed to be completely secure is probably one of the most vulnerable.

0
gmjhowe
gmjhowe

Reply 10 years ago

Which is why although i am happy to have a secure system. A bigger truth is its not the system that makes a computer secure or vulnerable, Its the user.

0
Goodhart
Goodhart

Reply 10 years ago

Indeed, which is why my statement is so true.....you definitely GOT IT :-)

0
Doctor What
Doctor What

10 years ago

Why are so many people switching to macs? Aarrgh! (don't answer that question, I know why)

0
Derin
Derin

Reply 10 years ago

I want a mini.

0
Goodhart
Goodhart

Reply 10 years ago

Miller exploited a Safari flaw to hijack a fully patched MacBook Pro machine.

0
DJ Radio
DJ Radio

10 years ago

I have Firefox and iphone. Im safe.

0
Goodhart
Goodhart

Reply 10 years ago

Well, as noted elsewhere, those that feel secure, probably are the least secure...normally, users, are the main problem...

0
NachoMahma
NachoMahma

Reply 10 years ago

. Yep. The cost of surfing is eternal vigilance.

  • Apologies to Mr. Jefferson
0
DJ Radio
DJ Radio

Reply 10 years ago

well, I think the main problem is my mom. She actually fell for a virus scan scam. Luckily she has a limited account and I stopped it.

0
KentsOkay
KentsOkay

10 years ago

GOOGLE HUSSLE AND GET CHROME FOR MAC OUT ALREADY!!

0
Goodhart
Goodhart

Reply 10 years ago

Last year, Miller exploited a Safari flaw to hijack a fully patched MacBook Pro machine.