

Safari/Mac OS X first to fall at pwn2own - kenjackson
http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358

======
trotsky
Amusing how paranoid the browser developers have become about CanSecWest:

Pwn2Own browser day: March 9th, 2011

    
    
      Safari 5.0.4 released March 9th
      Chrome 10.0.648.127 released March 8th
      Firefox 3.6.15 released March 4th
      Internet Explorer 8 didn't get a patch this cycle (too cool for school)
    

Mobile day: March 10th, 2011

    
    
      iOS 4.3 released March 9th
      Nexus S 2.3.3 released Feb 24th
      Not sure about WP7 & BB

~~~
neilc
FWIW, Safari 5.0.3 was used for the competition.

Besides, if most competitors arrive at the competition with carefully-
researched exploits available to use, I'm not sure this sort of last-minute
patching would make much difference, even if it was intentional.

~~~
trotsky
Apparently the last weeks code rule was a surprise, I don't think the vendors
knew about it.

 _I'm not sure this sort of last-minute patching would make much difference_

Even if the vulnerability is still there, screwing with the way the binary is
built and linked could easily make it so they'd have to put it back in a
debugger and retune the exploit.

------
GHFigs
Every year the press makes it sound like a race, or that being exploited first
is somehow worse than being exploited later in the day. The fact is that time
slots are assigned randomly:
<http://twitter.com/VUPEN/status/40078022325444608>

------
darren_
Interestingly, according to
[http://www.computerworld.com/s/article/9214002/Safari_IE_hac...](http://www.computerworld.com/s/article/9214002/Safari_IE_hacked_first_at_Pwn2Own?taxonomyId=82&pageNumber=2)
, the researchers who signed up to hit Chrome have either not shown up or
decided to concentrate on Blackberry instead. Seems their sandbox holds up
quite well.

------
YooLi
Taking down the Mac gets you the best laptop and the most press. Simple.

It would be different if the other OS/browsers didn't go down too, but because
the Mac is always first to go just means it's the most desirable target.

~~~
latch
I can see how you associate it being the least secure with it being the most
awesome. I don't see what could go wrong with your ability to take some
legitimate and important criticism about something you like and turn it into
something awesome about said thing.

Mac's always go down quickly in these contests. The people who make it happen
often say that its considerably easier.

 __edit: Charlie Miller: "It's really simple. Safari on the Mac is easier to
exploit. The things that Windows do to make it harder (for an exploit to
work), Macs don't do. Hacking into Macs is so much easier."
-[http://www.zdnet.com/blog/security/questions-for-pwn2own-
hac...](http://www.zdnet.com/blog/security/questions-for-pwn2own-hacker-
charlie-miller/2941)

~~~
icarus_drowning
The existence of the vulnerability itself is now obvious-- no one is arguing
against it. (And thus, I don't think anyone's arguing that a fully-patched OS
X system is fully impenetrable). But the fact that the winner gets to keep the
hardware certainly has a lot to do with which target they choose to attack.

Did Safari fall first because it is the least secure, or because it is the
hardware everyone wants to win? It really is difficult, if not impossible to
tell.

Personally, I'm quite sure that the Windows machines are at this point far
more secure, simply because Microsoft takes so much battering by being in the
dominant position. But I wouldn't use this as evidence for it.

EDIT: Question about your quote-- later in that article, Miller suggests that
there is no "randomization" in OS X, while this year's article says his
exploit bypassed ASLR in OS X-- is this a new feature in OS X that wasn't
present in 2009?

~~~
recoiledsnake
>Did Safari fall first because it is the least secure, or because it is the
hardware everyone wants to win? It really is difficult, if not impossible to
tell. >But the fact that the winner gets to keep the hardware certainly has a
lot to do with which target they choose to attack.

That's just weak, the prizes were $15,000 even for IE8 and Google was offering
$20K.

How many Macbooks can you get for $15K or $20K ?

[http://www.computerworld.com/s/article/9207939/Google_bets_2...](http://www.computerworld.com/s/article/9207939/Google_bets_20K_that_Chrome_can_t_be_hacked)

The easiest way to get a lot of Macbooks would be to exploit the easy software
to hack and just buy them from the store.

~~~
trotsky
Historically this was more of a factor though - it's definitely something
Miller has mentioned as being a part of his decision making. The prize
structure has changed a lot: in 2009 Tipping Point offered $5,000 + the
machine, in 2010 it was $10,000 + the machine and now it's $15,000 + the
machine.

~~~
recoiledsnake
The other laptops have been decent too. The Chrome netbook would be a novelty
to show people and Alienware/Sony VAIO machines are not bad at all.

------
kenjackson
Later IE8/Win7 falls: [http://www.zdnet.com/blog/security/pwn2own-2011-ie8-on-
windo...](http://www.zdnet.com/blog/security/pwn2own-2011-ie8-on-
windows-7-hijacked-with-3-vulnerabilities/8367?tag=mantle_skin;content)

------
adsr
I question the metric used in these contests. Reports always makes it sound
like someone just walks up completely unprepared and hacks a machine.

”We had to do everything from scratch. We had to create a debugging tool,
create the shellcode and create the ROP (return oriented programming)
technique,”

Obviously there is a fair bit of preparation involved.

~~~
trotsky
They're all prepared in advance. I don't really understand what you mean about
the reporting though, as you point out the discussion makes it clear none of
this is off the cuff.

~~~
adsr
Yeah that is my point, then why is there a focus on who is first?

~~~
trotsky
Each day the rules get looser making the compromise easier. I can't find the
2011 rules easily but here they are from 2009:

    
    
      Day 1: Default install no additional plugins. User goes to link.
      Day 2: flash, java, .net, quicktime. User goes to link.
      Day 3: popular apps such as acrobat reader ... User goes to link
    

iirc it's only the last year or two that most of them have been falling on day
1

------
mikey_p
So you win a version of the most vulnerable software/hardware?

------
bigiain
"VUPEN won a $15,000 cash prize and an Apple MacBook Air 13″ running Mac OS X
Snow Leopard" ... and Calcuator.app, whether he wanted running it or not.

------
dailyrorschach
I'm not surprised, this is what the third year in a row now? I hope Apple pays
attention to the things Google is doing with Chrome. If I'm not mistaken, Lion
will be shipping with WebKit2 and sand-boxing.

I've tried Chrome, but I just always go back strangely to Safari it just feels
right at home.

~~~
Stormbringer
Isn't the surprise rather that it is not the guy who knocked it over straight
away three years running?

This is really embarrassing for OS X fans.

~~~
darren_
It's not surprising because he [Charlie Miller] was fourth or fifth in line.

Everyone who signs up for this has exploits already in the bag that they've
been working on for weeks, it's not like it's hackers showing up and racing
each other to discover exploits from scratch (which, incidentally, renders the
whole "first to fall"/"browser X pwned in seconds" style of headline asinine)

~~~
dailyrorschach
Right, here was the article with the former, three time champ:
[http://arstechnica.com/apple/news/2011/03/likely-pre-
pwn2own...](http://arstechnica.com/apple/news/2011/03/likely-pre-pwn2own-
safari-patch-unlikely-stop-three-time-pwner.ars)

