Skip to main content

Contestants at Pwn2Own take down Safari, but said OS X security is better than other systems

sm_MG_7704

<a href="http://www.pwn2own.com/photo-gallery/#prettyPhoto[]/13/">Pwn2Own</a>

As usual, the annual Pwn2Own contest featured many hackers targeting the latest operating systems and browsers from the major vendors, including Apple. Threatpost reports that the “Keen Team” focused Safari on Thursday and exploited it with relative ease.

The team took home a $40,000 bounty for their efforts on Safari, as well as a share in a $75,000 prize for co-engineering a zero-day Flash exploit. They say they will donate some of their winnings towards charities representing missing Malaysian Airplane passengers.

The group say that for Safari, they used two different exploit vectors. One vulnerability was a heap overflow in WebKit that enabled arbitrary code execution. The team then used this opening to use another exploit to bypass the application sandbox and run code as if it was user privileged.

According to Chen, one of the pair who represented the Keen Team at Pwn2Own, the WebKit fix is will be easy for Apple to resolve although the sandbox exploit may be harder.

“I think the Webkit fix will be relatively easy,” Chen said. “The system-level vulnerability is related to how they designed the application; it may be more difficult for them.”

That being said, Chen believes that OS X offers better security than its rival operating systems.

“For Apple, the OS is regarded as very safe and has a very good security architecture,” Chen said. “Even if you have a vulnerability, it’s very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems.”

In a separate interview with CNET, Chen said that despite the locked-down nature of iOS, Apple’s mobile OS is usually easier to target than OS X because Apple implements newer security safeguards more quickly on the desktop platform.

As usual, Apple representatives observed the exploits at the event so fixes for the issues will likely appear bundled into future software updates for iOS and OS X.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. komarovstyle - 10 years ago

    Great post.

  2. Len Williams - 10 years ago

    I’m glad to see Apple and other OS vendors participating in these hacker contests, so that security issues are able to be recognized and handled before they become known to the general public and malicious hackers.

  3. b9bot - 10 years ago

    More fantasy hacks. You can hack anything when you have physical access to it. Try it behind a firewall and a secured Mac and I don’t see it happening period.

    • Ben Anderson - 10 years ago

      Going to have to agree with b9bot here. Its valliant that Apple and other such vendors participate in contests like these to try and iron out any and all security exploits, but how exactly would they perform these exploits in the real world? This isn’t a computer sitting next to them with a crack team of researchers, it’ll be over the internet.

      I work in a data centre and anyone who tries to break in and exploit windows system gets stopped by simple off the shelf firewalls and they never get any further.

      At best I can see these exploits happening via social engineering, but that’s about it.

    • ashtraywasp - 10 years ago

      There are no “fantasy hacks”. Pwn2Own doesn’t work like that. It actually works like real world hacks would, that’s the point.

      Hacks are performed via a web page. Hell, the whole event is based around browser attacks. They are done by simply the target device visiting a webpage (of the potential attacker). That’s it.

      The security researcher’s job is obviously designing their webpage to exploit a vulnerability in the browser and/or OS and see if they can gain access to the system. There is no “fantasy” stuff.

      OS X and iOS ARE among the most secure OSs around, they really are. But they’re not immune to vulnerabilities. Whether they’re prone to being easily exploited or if there are attacks against them taking place in the wild is a whole other thing, but I always find it interesting in a nice way reading through the security content of updates on Apple’s website (http://support.apple.com/kb/HT1222).

  4. ashtraywasp - 10 years ago

    Chrome has been updated today, all of Chrome’s exploits have been patched on all platforms within 24 hours.

    I wonder how many days it will take Apple.. probably a few days due to their more conservative attitude to updates, and probably (hopefully just) another few due to the latter exploit supposedly requiring more work to fix.

  5. James Katt - 10 years ago

    OS X 10.9.3 is coming soon. These security vulnerabilities will be patched. I would still like to see if a virus can be done on OS X. None of these hackers have created a virus.

  6. drummerstar - 10 years ago

    These drive by attacks are nice if you’re hanging in the dark corners of the internet, or just Godaddy, apple or Paypal hand over your password through a phone call, like decent hackers do it.

  7. Michael Wildoer - 10 years ago

    Most people could improve their security by simply using strong passwords wherever possible, using a password manager like PasswordVault ( lavasoftware.com ), which has a password generator. The lite edition is free and runs on MacOS and Windows. I wish more people would realize that password managers are the way to go.

Author

Avatar for Benjamin Mayo Benjamin Mayo

Benjamin develops iOS apps professionally and covers Apple news and rumors for 9to5Mac. Listen to Benjamin, every week, on the Happy Hour podcast. Check out his personal blog. Message Benjamin over email or Twitter.