Apple Security Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 03/20/2015 2:41:46 PM PDT by Swordmaker
So much for browser security. Researchers who participated in the Pwn2Own hacking contest this week demonstrated remote code execution exploits against the top four browsers, and also hacked the widely used Adobe Reader and Flash Player plug-ins.
On Thursday, South Korean security researcher and serial browser hacker JungHoon Lee, known online as lokihardt, single-handedly popped Internet Explorer 11 and Google Chrome on Microsoft Windows, as well as Apple Safari on Mac OS X.
He walked away with US$225,000 in prize money, not including the value of the brand new laptops on which the exploits are demonstrated and which the winners get to take home.
(Excerpt) Read more at pcworld.com ...
If you want on or off the Mac Ping List, Freepmail me.
This should surprise nobody.
All software, all browsers, all OS’s have their vulnerabilities/insecurities.
None are immune.
OK, so I guess the only really important statistic is how long it took to hack each one? I assume they were at current patch level and default settings. It would be interesting to see how each did at full security.
bump.
Why is this an Apple ping?
There is nothing specific about Apple here.
Other than it isn’t particularly secure.
“Other than it isn’t particularly secure.”
Hurry up! Put on your flame suit AND your tin foil hat! Swordmaker is going to jump on you with all four feet!
ROFL j/k, Sword! ;-)
Safari was hacked as well. . . or didn't you bother to read the article?
To be clear that was Safari on OS X. Now I’m know as OS X has gotten more popular we are hearing more about the hacks, but there have been years it was the first hacked at this contest and all the excuses ensued.
Getting into the browser is not going to get you far on OS X. It runs in a sandbox. (͡° ͜ʖ°)
IE and the other browsers can run in sandboxes, too, for those ‘in-the- know’. ;-)
These ‘alarms’ I think are aimed at computer-illiterate old people who tend to be more ‘trusting’.
For years, the prize was only the computer on which the target was hacked. . . and every hacker wanted the Mac. Later they increased the prize to the computer plus cash, which grew as the manufacturers and publishers got involved.
The exploits are NOT hacked at the contest but before the contest. . . with months of work. Charlie Miller, the ex-NSA computer expert who won five times in a row said he used his staff of two other ex-NSA guys to find the vulnerabilities and develop an exploit, which would then be weaponized. The script to accomplish the exploit would be handed to the referees for execution on the targeted computer and Voilá, done. . . in seconds. It all came down to who got the first 15 minute window and choice of machine to work on. The winner of the previous year's contest always got first choice. . . and Charlie always picked the Mac when he was targeting a computer. That is the only reason. . . because the rest would fall just as easily for the same reason. Prepared exploits.
What is the definition of hacked? Did the hackers get a root command line prompt on the Mac?
>>Safari was hacked as well. . . or didn’t you bother to read the article?<<
I did and that was my point. Everyone got hacked, Apple and Wintel.
It depends:
On Thursday, South Korean security researcher and serial browser hacker JungHoon Lee, known online as lokihardt, single-handedly popped Internet Explorer 11 and Google Chrome on Microsoft Windows, as well as Apple Safari on Mac OS X.Lee’s attack against Google Chrome earned him the largest payout for a single exploit in the history of the competition: $75,000 for the Chrome bug, an extra $25,000 for a privilege escalation to SYSTEM and another $10,000 for also hitting the browser’s beta version—for a total of $110,000.
The IE11 exploit earned him an additional $65,000 and the Safari hack $50,000.
Lee’s accomplishment is particularly impressive because he competed alone, unlike other researchers who teamed up, HP’s security research team said in a blog post. . . .
Most of the attacks demonstrated at Pwn2Own this year required chaining of several vulnerabilities together in order to bypass all defense mechanisms put in place in operating systems and browsers to prevent remote code execution.
The final count for vulnerabilities exploited this year stands as follows: five flaws in the Windows OS, four in Internet Explorer 11, three each in Mozilla Firefox, Adobe Reader, and Flash Player, two in Apple Safari and one in Google Chrome. All bugs were reported to the affected vendors after the contest, as part of the competition’s rules.
So for some of the browsers, the answer was ALL THE WAY TO SYSTEM, or ROOT in the terminology of UNIX and Linux systems. In the case of Safari, and the Mac, the Pwn2Own, has never succeeded in every reaching ROOT. . . and this time was no different. They did not even get to the user level access. They got into the browser and could see things like history and Bookmarks, etc., but not install anything. . . No administrator level access.
The bounties are paid by the various manufacturers and publishers of the products.
I would expect that if there were a Windows Ping list, the person keeping that Ping list would PING the members to this thread as well. . . as would the keeper of any other TECH PING list.
What is a good browser to change to from IE?
Same with FF and Chrome, FWIW.
IE is the only kernel-integrated browser out there, making it the least desirable among the browsers, something that MS is hopefully fixing with Spartan.
Microsoft is supposedly going to release an Internet Explorer replacement with the release of Windows 10. . . a complete re-write. You may want to see how that works out. Wait until that comes out to select another. In the meantime, I'd try FireFox. I think Chrome opens you to the Google sneak observations. . .
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.