229Views47Replies

Author Options:

Warning to all Safari users..... Answered

Pwn2Own hacker: Apple Safari is 'easy pickings'


Charlie Miller, the security researcher who won last year's Pwn2Own hacker contest, is predicting that Apple's Safari browser will be the easiest target this year.

In a note posted on the popular Daily Dave mailing list, Miller describes Safari as "easy pickin's" and forecasts that at least four zero-day Safari flaws will be used during the contest at CanSecWest later this month...

  • Safari: hacked by 4 different people. Easy pickin's as usual.
  • Android: hacked by 1 person. Not too tough but no one owns one.
  • IE8, Firefox: Survive unscathed. The bugs to exploit equation is too hard for $5k.
  • iPhone, Symbian: Survive due to non-executable heap.
  • Blackberry, Windows Mobile, Chrome: I don't know enough to say anything intelligent. That said, they're probably hard/obscure and so survive.

Last year, Miller exploited a Safari flaw to hijack a fully patched MacBook Pro machine. He is also known for launching successful attacks against Apple's iPhone and Google's Android platform.

Safari predicted to be the easiest target this year...

Discussions

0
None
dombeef

9 years ago

WHAT!

0
None
Goodhartdombeef

Reply 9 years ago

Just make sure it stays up to date if you use it. ;-)

0
None
starwing123

9 years ago

Hackers can get by anything no matter how hard people try to stop them. As long it's connected to the internet. It's just how much time and effort they are willing to spend.

0
None
Goodhartstarwing123

Reply 9 years ago

Well, first off, those that hack, are not necessarily malicious, so if you mean malevolent hackers, known as Crackers, yes, there are ways to prevent pretty much anything except cracking from the actual physical location of the computer, but in nearly every one of those cases, it causes great inconvenience to the owner of the computer also. However, it really DOES have more to do with where one goes, and what one opens, then anything else; in the long run.

0
None
tarzioo

9 years ago

what is a good software for preventing this? Is macscan good? I currently use clamXav but doubt it really does anything.

0
None
Goodharttarzioo

Reply 9 years ago

A good firewall (like from CheckPoint) is a must. But the most important thing after having all the safety checks in place, is where one surfs, and what one opens (like what attachments and whose emails). The best thing one can do is to keep everything updated (patched). There are programs out there for those not savvy to computers, that will check to make sure you have the latest version and patches.

0
None
tarziooGoodhart

Reply 9 years ago

oh awesome! I will definitely check it out, thanks!

0
None
Goodharttarzioo

Reply 9 years ago

Tarzioo, the following is one I use to keep my programs up to date and patched....

Secunia PSI

0
None
Plasmana

9 years ago

Do you mean the hackers can get into people's computer via Safari?

0
None
fwjs28Plasmana

Reply 9 years ago

yeppers...there was (possibly still is) a way to hijack via quicktime and such programs through their update utility(i think)...never think your safe...

0
None
Plasmanafwjs28

Reply 9 years ago

Well, I am safe (for now). With help of little snitch, I now have manual control what information can come or leave my computer. In other words, I can deny my information going to a place with a very strange names and numbers together and allow my information pass to to a trusted place. It is hard work, but is is better than strangers reading your personal information.. :-)

0
None
fwjs28Plasmana

Reply 9 years ago

the only safe computer is a computer that doesn't exist, while this is an exageration, it is very true....whats the program called?

0
None
GoodhartPlasmana

Reply 9 years ago

Until it is patched, and then it is patched until another weakness is found....

0
None
11010010110lemonie

Reply 9 years ago

yea thats more likely but anyway the easiest way to infect a large amount of users is making them download and run stuff volunteerly. no os and no surfboard and no antivirus can protect a dumb user (unless the computer or os is so limited that its technically impossible to run custom stuff on it - thats not the case with most devices)

0
None
Goodhart11010010110

Reply 9 years ago

As Ron White would say: you can't fix stupid....

0
None
fwjs28Goodhart

Reply 9 years ago

YESS!....so true...so very true

0
None
lemonie11010010110

Reply 9 years ago

Oh yes, circulating junk-e-mail for one. Embedding stuff in web-pages downloads and video clips is something else though, that's more like "keep to well-lit areas of the 'net". And you don't have to be so dumb to get caught by that sort of thing. L

0
None
11010010110lemonie

Reply 9 years ago

downloads and video clips are actually something else. if i download a video clip and open it it opens in the video player and not as executable sure if my player has appropriate flaw (that can somehow make it execute binary code hidden in the video) i can get infected from it but its not really tricking me to run stuff on the computer

0
None
lemonie11010010110

Reply 9 years ago

Some things do embed in video clips (I'm not going to research this now but I'm fairly confident it's true) This does count as tricking you to run stuff on the computer L

0
None
NachoMahma11010010110

Reply 9 years ago

. The 25th frame is a subliminal effect. L is talking about malware embedded in videos and other files. They cause the media player (or word processor, &c) to do bad things.

0
None
11010010110NachoMahma

Reply 9 years ago

i would not call an exploited video tricking you to run stuff on the computer

tricking is when it actually tricks you to do something

what you mean is not tricking the user - its actually exploiting secuity issues of the computer and not its user

i expect my player to be secure. so i dont think twice before i open video files in it. i dont intentionally run stuff i downloaded and dont trust

0
None
Goodhartlemonie

Reply 9 years ago

Yes, but FF is always growing, and there are those that prefer easier targets over more widely used. Security by obscurity doesn't work.

0
None
lemonieGoodhart

Reply 9 years ago

"Miller exploited a Safari flaw" - the flaw will be fixed. Just as Microsoft fixes it's flaws when they are exposed. Using Safari doesn't put a person at any greater risk in real terms (over a reasonable period of time). L

0
None
Goodhartlemonie

Reply 9 years ago

Yes, it is as gmjhowe said, it is the user that creates most of the risk...online.

0
None
gmjhowe

9 years ago

Well, if you read the full story, they didn't 'hack' it the quickest.

They used an existing security flaw, hence why more people managed it. The bug was already known. Its like hacking an OS, when you read about someone who had hacked the password.

Despite that, i do admit that safari is not perfect. I still prefer the security of Mac os x in general. Firevault is a great feature that mac has had for many years, and is finally being copied by windows.

note - i just wanted to comment and say my thoughts, i will not respond to any replies, as i don't wish to have windows fanboys flaming me

0
None
Labot2001gmjhowe

Reply 9 years ago

WTF WINDOWS > MACS LOL U SUCK MAC FANBOY LOL

(jk)

0
None
GoodhartLabot2001

Reply 9 years ago

gmjhowe, shall we flag him? or flog him LOL

0
None
PlasmanaGoodhart

Reply 9 years ago

I would flag him, but because he said (jk), I am not too sure if I should do it...

0
None
DerinLabot2001

Reply 9 years ago

macs > windows (yes,i've tried a mac but i use windows)

0
None
Goodhartgmjhowe

Reply 9 years ago

'Tis ok ;-) but you need to pick up a copy of The 2600 now and then ;-) One of the truest things ever said about anyone online is: the system believed to be completely secure is probably one of the most vulnerable.

0
None
gmjhoweGoodhart

Reply 9 years ago

Which is why although i am happy to have a secure system. A bigger truth is its not the system that makes a computer secure or vulnerable, Its the user.

0
None
Goodhartgmjhowe

Reply 9 years ago

Indeed, which is why my statement is so true.....you definitely GOT IT :-)

0
None
Doctor What

9 years ago

Why are so many people switching to macs? Aarrgh! (don't answer that question, I know why)

0
None
GoodhartDoctor What

Reply 9 years ago

Miller exploited a Safari flaw to hijack a fully patched MacBook Pro machine.

0
None
DJ Radio

9 years ago

I have Firefox and iphone. Im safe.

0
None
GoodhartDJ Radio

Reply 9 years ago

Well, as noted elsewhere, those that feel secure, probably are the least secure...normally, users, are the main problem...

0
None
NachoMahmaGoodhart

Reply 9 years ago

. Yep. The cost of surfing is eternal vigilance.

  • Apologies to Mr. Jefferson
0
None
DJ RadioGoodhart

Reply 9 years ago

well, I think the main problem is my mom. She actually fell for a virus scan scam. Luckily she has a limited account and I stopped it.

0
None
KentsOkay

9 years ago

GOOGLE HUSSLE AND GET CHROME FOR MAC OUT ALREADY!!

0
None
GoodhartKentsOkay

Reply 9 years ago

Last year, Miller exploited a Safari flaw to hijack a fully patched MacBook Pro machine.