Apple Safari hacked in matter of seconds
By Asavin Wattanajantra,
A security researcher has hacked into a fully-patched Macbook in seconds by exploiting a security flaw in Apple’s Safari browser, according to reports.
Security analyst Charlie Miller won a thousand dollar prize and a new Macbook at Canada’s CanSecWest security conference in its Pwn2Own contest, an annual hacking competition pitting researchers against browser technologies.
Ryan Naraine, a security evangelist for Kaspersky, was twittering and blogging from the event.
Naraine said that Miller used a drive-by exploit that he had already tested carefully, after coming to the conference with a plan to hack into the browser.
Miller said: “It took a couple of seconds. They clicked on the link and I took control of the machine.”
Miller won the contest last year when he managed to hack another fully patched Macbook, that time "only" in minutes.
Naraine said that TippingPoint’s Zero Day initiative acquired exclusive rights to the vulnerability and would coordinate the disclosure and patch release process with Apple.
Microsoft’s new Internet Explorer 8 browser and Mozilla Firefox lasted longer, but were also hacked in the first day of the conference.
A security researcher called “Nils” took full control off a Sony Vaio running Windows 7 using a drive-by download attack. Microsoft’s security response team was reported to have witnessed the exploit.
“Nils” was also the second hacker to beat Safari, and also exploited a Firefox zero-day flaw.
Perhaps surprisingly, Microsoft pledged its support to the competition.
Sarah Blankinship, security strategist for Microsoft’s Ecostrat team, said in a blog post that good security dictated that you couldn’t hide from the truth and every issue was an opportunity to learn and improve.
She said: “We recognise that all vendors’ products may be found vulnerable.
“Microsoft welcomes the contest as another opportunity to engage the security community in productive dialogue around responsible disclosure and effective security engineering.”
Apple declined to comment, while Mozilla had not responded to our request for comment at time of writing.
You may also like...
Sponsored Links
advertisement
You may also like...
Latest Security Analysis & Insight
Who to trust after the VeriSign hack?
Davey Winder questions what data was stolen from VeriSign and wonders why the company hasn't been more forthcoming.
- Striving to solve the security skills crisis
- Would you employ a hacker or malware writer?
- Q&A: Raj Samani, CTO McAfee
- Erase and rewind: the EU and privacy
- My email address is [CENSORED]
- Is there such a thing as a secure tablet?
- 2011: The year in news
- BYOD: Old or new, good or bad?
- Are the cookie laws crumbling already?
Latest Security Reviews
Check Point 2210 Appliance review
Rating: 
advertisement
Most popular
- Google releases Chrome for Android beta
- Will someone rid me of these troublesome Macs?
- OneNote hits Google?s Android
- BlackBerry Bold 9790 review
- Google sends in Bouncer to sort out malicious apps
- Ubuntu vs. Windows 7 on the business desktop
- Who to trust after the VeriSign hack?
- Head to Head: Mac OS X 10.7 Lion vs Windows 7
- ACTA: the basics, the controversies, and the future
- BT considering Ofcom price cap appeal
Latest News Videos in Security
IT PRO Podcast: Are UK data protection laws flawed?
PlayWe bring in two experts to talk about the problems with UK data protection law and the way it is managed.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Firefox security
I note that FF 3.0.7 has just been released. Perhaps this was in response to the exploit described?
By gcd_8136a2c4175a on Friday Mar 20