Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1

    mraya's Avatar
    Member Since
    Feb 27, 2005
    Location
    Framingham, MA
    Posts
    940
    Specs:
    MacBook C2D 2.4 2GB
    Safari exploited
    If you are aware of the PWN to OWN contest you may know about this already...

    http://www.engadget.com/2007/04/22/s...acking-compet/

    http://news.com.com/2100-7349_3-6178131.html

    Any thoughts?
    [is pointless to click here]

  2. #2

    baggss's Avatar
    Member Since
    Oct 10, 2004
    Location
    Margaritaville
    Posts
    10,311
    Specs:
    27" 3.4 Ghz i7 iMac-13" C2D Macbook-OSX 10.10.2 -64Gb iPad 2-64 Gb iPhone 6+-ATV 2-14Tb of Storage
    Meh, something else for Apple to fix....


  3. #3

    walmartconnect's Avatar
    Member Since
    Oct 13, 2006
    Location
    Blacksburg, VA
    Posts
    724
    Specs:
    13'' Macbook w/ 2Ghz Core Duo, 2GB DDR2, 250GB HD, 10.5.4. iPod Touch.
    That is pretty funny.

  4. #4

    D3v1L80Y's Avatar
    Member Since
    Feb 02, 2004
    Location
    PA
    Posts
    12,456
    Specs:
    MacBook
    Well, let's look at some key details for this "hack":

    1. "CanSecWest organizers will set up the MacBooks with their own access point and all security updates installed, but without additional security software or settings."

    2. After nobody was able to successfully complete the task, the rules were then 'relaxed'. This was planned, as they expected failure. The original contest site states: "progressive rules over the three days". In the relaxed set of rules, a URL was provided that exposed Safari to a "specially-constructed Web page" which allowed the hacker to gain shell access to the MacBook. In other words, they continually aided these "hackers" by gradually crippling the machines to a point where no conscientious person would have his system set up.

    3. What exactly did he do? The details have yet to be published, and whether or not his "exploit" was malicious or not. Did he have root access? How so, the root user is disabled by default. If he had root, then he would have to have had access on a local level, not from a different machine. He would have also have needed the machine's password in order to activate the root user. The only way to have such information is to have exclusive knowledge of the machine, something your average hacker would not have.


    After reading those articles and others related to this story, it would seem that the computer being "hacked", is the SAME computer that is being used by the "hacker"??? Sure, when you relax rules, allow a person to "hack" the very machine they are working on, thus giving them complete and total local access to the machine.... well, suddenly this doesn't seem so sensational or like much of a grand acheivement.

    "I can hack my very own Mac, the one sitting in front of me...w00t r0X0rZZZZ!!!!111"

    Give me a break.
    __________________________________________________
    Posting and YOU|Forum Community Guidelines|The Apple Product Cycle|Forum Courtesy

    mac: a waterproof raincoat made of rubberized fabric
    MAC: a data communication protocol sub-layer, also known as the Media Access Control
    Mac: a brand name which covers several lines of personal computers designed, developed, and marketed by Apple Inc.


  5. #5

    Aptmunich's Avatar
    Member Since
    Mar 09, 2004
    Location
    Munich
    Posts
    9,073
    Specs:
    Aluminium Macbook 2.4 Ghz 4GB RAM, SSD 24" Samsung Display, iPhone 4, iPad 2
    I don't think that was the case...

    From what I've read, the change they made to the rules allowed the contestants to send the remote macbook an email containing a url, that was then opened by the competition organizers.

    This is a fairly typical point of attack for many systems and is actually particulary dangerous in OS X mail as you can really easily disguise links and there's no way to see where the link actually goes before clicking on it.

    1. "CanSecWest organizers will set up the MacBooks with their own access point and all security updates installed, but without additional security software or settings."
    That would be the majority of OSX users out there - I doubt many members here run 3rd party firewalls or "security software".


    I agree the the reporting surrounding the exploit has been very sensationalistic, (is that a word? ) but the hack itself seems legit. Nonetheless it isn't out there in the wild, should be easily fixable and doesn't really do much besides prove a point.

  6. #6


    Member Since
    Mar 11, 2004
    Posts
    1,964
    Quote Originally Posted by Aptmunich View Post
    From what I've read, the change they made to the rules allowed the contestants to send the remote macbook an email containing a url, that was then opened by the competition organizers.
    The rules weren't changed. They stipulated from the outset that if the two Macs could not be breached in a given time, security would be weakened. This was the case, so event organizers using Safari clicked on contrived "malicious" websites built by the hackers expressly to run their exploits.

    Since no one will divulge the successful hack, no one outside of the principals, and perhaps by now, Apple, knows what it is. The method might be a stunningly easy, which is highly unlikely, or incredibly contrived, which is far more likely.

    The story on the exploit as written by InfoWorld has a grotesquely innacurate headline that is meant to inflame. InfoWorld is owned by IDG that regarding Apple has its own axe to grind.

    The other Mac involved in the contest was not breached.

  7. #7

    rollershoer4MAC's Avatar
    Member Since
    Nov 18, 2006
    Location
    Wisconsin
    Posts
    175
    Specs:
    iBook G3|800Mhz|256MB Ram|ComboDrive|30GB HD|
    Eh, I use firefox anyways....
    iBook G3, 800 MHz, Combo Drive, 256MB Ram, 30GB, Airport Card...For Sale! Here.

  8. #8

    D3v1L80Y's Avatar
    Member Since
    Feb 02, 2004
    Location
    PA
    Posts
    12,456
    Specs:
    MacBook
    Quote Originally Posted by Brown Study View Post
    The rules weren't changed. They stipulated from the outset that if the two Macs could not be breached in a given time, security would be weakened. This was the case, so event organizers using Safari clicked on contrived "malicious" websites built by the hackers expressly to run their exploits......The method ... is highly unlikely, or incredibly contrived....

    The story on the exploit as written by InfoWorld has a grotesquely innacurate headline that is meant to inflame. ....
    Precisely. This hole in Safari is nothing new. It has been shown before. However, the only way to 'exploit' it is to put the target machine in a very specific, contrived, and egregiously unsafe state for it to work. A state that is really only found in a lab or other similar, controlled situation. This is not likely to happen in any real-world scenario.

    The story was meant to sensationalize and to blow out of proportion, a "lab only" situation. It still proves nothing new and it is still an unlikely event to happen to any normal user. It is merely "anti-Mac", Windows fanboy propoganda disguised as "informative news".
    It is sort of ironic also, that the prize here was the Mac itself. :black:
    __________________________________________________
    Posting and YOU|Forum Community Guidelines|The Apple Product Cycle|Forum Courtesy

    mac: a waterproof raincoat made of rubberized fabric
    MAC: a data communication protocol sub-layer, also known as the Media Access Control
    Mac: a brand name which covers several lines of personal computers designed, developed, and marketed by Apple Inc.


  9. #9


    Member Since
    Mar 11, 2004
    Posts
    1,964
    The flaw is with Java (not JavaScript) and includes Firefox, not just Safari, this article says. I suppose any other browser would be affected, as well. A posted comment on that site in an earlier story said the same thing, so this latest article supports that poster's contention.

    After reading about Java's many flaws months ago, I turned it off and have never come across a website that requires it.

  10. #10

    Zoolook's Avatar
    Member Since
    Sep 24, 2006
    Location
    Brooklyn, New York
    Posts
    2,756
    Specs:
    15" MacBook Pro, i7 2.66Ghz, 8GB RAM, 512GB SSD; iPad 3, iPhone 5
    OK, own up, who doesn't run a firewall? I always run a firewall, no matter what, which is the router default firewall as well as the OS X firewall. There is no real reason to disable it, IMO, whether running Windows, OS X, Linux BSD, Unix or DOS 1.0.
    In the land of the blind, the one-eyed man is stoned to death.
    - Joan D. Vinge


  11. #11

    D3v1L80Y's Avatar
    Member Since
    Feb 02, 2004
    Location
    PA
    Posts
    12,456
    Specs:
    MacBook
    Quote Originally Posted by Zoolook View Post
    OK, own up, who doesn't run a firewall? I always run a firewall, no matter what, which is the router default firewall as well as the OS X firewall. There is no real reason to disable it, IMO, whether running Windows, OS X, Linux BSD, Unix or DOS 1.0.
    I always run mine, it is simple common sense to do so when you have a computer active on the internet.
    __________________________________________________
    Posting and YOU|Forum Community Guidelines|The Apple Product Cycle|Forum Courtesy

    mac: a waterproof raincoat made of rubberized fabric
    MAC: a data communication protocol sub-layer, also known as the Media Access Control
    Mac: a brand name which covers several lines of personal computers designed, developed, and marketed by Apple Inc.


  12. #12


    Member Since
    Mar 11, 2004
    Posts
    1,964
    Lots of people running OS X haven't turned the software firewall on even when the machine's not behind a router, because Macs don't ship with it turned on.

    I never bothered with a firewall before OS X came along, and there were up to 60 Mac viruses, supposedly (though some say no more than 35), a small number compared to the Windows world but that many more than there are with OS X.

    I still run OS 9 on the web without a firewall because it's no less difficult for a virus to gain entry than it ever was. And with OS 9, especially now, security through obscurity is no myth, and it's growing more obscure all the time.

    But in the case of this Java exploit, a firewall would have no affect, anyway.

  13. #13

    D3v1L80Y's Avatar
    Member Since
    Feb 02, 2004
    Location
    PA
    Posts
    12,456
    Specs:
    MacBook
    Quote Originally Posted by Brown Study View Post
    I never bothered with a firewall before OS X came along, and there were up to 60 Mac viruses, supposedly (though some say no more than 35), a small number compared to the Windows world but that many more than there are with OS X.
    I never used a firewall pre-OS X either, but those two dozen or so "viruses" for the earlier Mac OSes were in reality, nothing more than bad macros for early versions of Word and Excel for Mac. If you never used or enabled macros in those apps, or if you had anything past version 5.0 for Word or Excel, then you had nothing to really worry about.:black:
    __________________________________________________
    Posting and YOU|Forum Community Guidelines|The Apple Product Cycle|Forum Courtesy

    mac: a waterproof raincoat made of rubberized fabric
    MAC: a data communication protocol sub-layer, also known as the Media Access Control
    Mac: a brand name which covers several lines of personal computers designed, developed, and marketed by Apple Inc.


  14. #14

    cwa107's Avatar
    Member Since
    Dec 20, 2006
    Location
    Lake Mary, Florida
    Posts
    26,884
    Specs:
    15" MBP, Core i7/2GHz, 8GB RAM, 480GB Crucial M500 SSD
    Meh, I wasn't really impressed with this news, although it did give my Windows-loving friends something to talk about. Truth be told, ALL browsers have flaws - and they always will. There's simply no way to absolutely lock down a versatile Internet-enabled portal, teeming with 3rd-party add-ons (Java, in this example) that give it even more functionality. This is just the "always-on, always connected" world we live in today. What I would find impressive would be a hack that doesn't involve a browser. There have been many Windows vulnerabilities discovered that were non-browser specific.
    Liquid and computers don't mix. It might seem simple, but we see an incredible amount of people post here about spills. Keep drinks and other liquids away from your expensive electronics!

    https://youtu.be/KHZ8ek-6ccc

  15. #15


    Member Since
    Mar 11, 2004
    Posts
    1,964
    Quote Originally Posted by cwa107 View Post
    Meh, I wasn't really impressed with this news, although it did give my Windows-loving friends something to talk about.
    According to this, Windows probably is affected, too.
    Gregg Keizer reports for Computerworld, "'Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple's vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability,' said Thomas Ptacek of Matasano on the group's blog."

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Safari won't launch: error message 'Safari quit unexpectedly
    By Abbynormal329 in forum OS X - Operating System
    Replies: 9
    Last Post: 03-19-2015, 03:51 PM
  2. Apple's iPhone, Safari exploited at annual hacking contest
    By the8thark in forum Apple Rumors and Reports
    Replies: 0
    Last Post: 03-26-2010, 10:30 AM
  3. Replies: 0
    Last Post: 05-23-2009, 08:35 PM
  4. Replies: 4
    Last Post: 03-22-2008, 12:56 PM
  5. Replies: 1
    Last Post: 01-26-2007, 11:04 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •