Safari on a Mac proves easiest to hack

March 19, 2009

For the second year running, a security researcher has exploited a weakness in Safari on a Mac to win a contest to see how quickly a user could hack into a computer.

Charlie Miller, the winner of the Pwn2Own contest at the CanSecWest conference this week in Vancouver, BC, arrived with a prepared exploit to use in hacking Safari running on Mac OS X. His prize? A cool $5,000 and the laptop he cracked, not bad for a few minutes worth of work. The contestants this year were had a choice of two systems to hack. The first was a Sony Vaio running Windows Seven pre-release beta and using the Internet Explorer 8, Firefox, and Google’s newest Chrome browsers. The second was a MacBook running OS X with the Safari and Firefox browsers.

The idea behind Pwn2Own is that it gives an idea of how difficult it is to hack into a personal computer, and further which system is easiest to hack into. Last year’s contest included a Linux system as well as a Windows PC and a Mac running OS X. As it transpired, however, no one was willing to put in the time necessary to develop tools to break into the Linux platform, so there was no Linux target in this year’s contest, according to a Computerworld story.

The problem with this contest is that it is attended primarily by security analysts who have identified security shortcomings (primarily in browsers and browser add-on software) as a part of their jobs but have not yet reported them. While this does in some ways simulate the real world in that a hacker could also find the security holes, it does not mirror the way the security world actually works.

The people doing the best at these contests are the very security experts that are being paid to find security holes before the hackers do and report them to the company producing the software. That way, the holes are closed before they can ever be used for malevolent purposes, or at the least the exposure periods are very brief.

In the end, this seems to be more about publicity than it is about exposing security holes so that they can be patched. This situation is a little like paying extra for protection from your local police department or the FBI. The people being paid to learn the tricks learn a new one, then use it to claim the prize, then report the security flaw. The ethics of that seem pretty fuzzy to me.

Be Sociable, Share!

4 Responses to “Safari on a Mac proves easiest to hack”

  1. CaliforniaMegalotto:

    yay!!! I heard about this contest… for security experts its the best way to figure it out leaks.

  2. ncaissie:

    And there are a lot of Apple fans that say IE is bad.

  3. Thomcarl:

    Sorry fan boys this contest has been proven to be rigged, the same guy breaks it on safari every year, he’s a developer that works mostly on apple.
    he finds an unknown hole, checks to make sure that no one else has found it, and weeks later when the contest starts he goes right to the hole and gets into the system in seconds, its a hoax ncaissie. So who’s the fanboy now ya frigtard. do some research before you open your pie hole dum-dum.

  4. jabber_wolf:

    No way, you mean Apple has to pass the same security scrutiny that windoze has to?

    With the same security holes, that never get reported but massivly piled upon by mac fanatics?!

    Man, so unfair that OSX has to be put to the same standards as windoze…

    Thats SOOOO not cool, I’m telling my love Steve Jobs!!!

Leave a Reply:


Copyright © 2014 NS