Apple Safari hacked in matter of seconds
By Asavin Wattanajantra,
A security researcher has hacked into a fully-patched Macbook in seconds by exploiting a security flaw in Apple’s Safari browser, according to reports.
Security analyst Charlie Miller won a thousand dollar prize and a new Macbook at Canada’s CanSecWest security conference in its Pwn2Own contest, an annual hacking competition pitting researchers against browser technologies.
Ryan Naraine, a security evangelist for Kaspersky, was twittering and blogging from the event.
Naraine said that Miller used a drive-by exploit that he had already tested carefully, after coming to the conference with a plan to hack into the browser.
Miller said: “It took a couple of seconds. They clicked on the link and I took control of the machine.”
Miller won the contest last year when he managed to hack another fully patched Macbook, that time "only" in minutes.
Naraine said that TippingPoint’s Zero Day initiative acquired exclusive rights to the vulnerability and would coordinate the disclosure and patch release process with Apple.
Microsoft’s new Internet Explorer 8 browser and Mozilla Firefox lasted longer, but were also hacked in the first day of the conference.
A security researcher called “Nils” took full control off a Sony Vaio running Windows 7 using a drive-by download attack. Microsoft’s security response team was reported to have witnessed the exploit.
“Nils” was also the second hacker to beat Safari, and also exploited a Firefox zero-day flaw.
Perhaps surprisingly, Microsoft pledged its support to the competition.
Sarah Blankinship, security strategist for Microsoft’s Ecostrat team, said in a blog post that good security dictated that you couldn’t hide from the truth and every issue was an opportunity to learn and improve.
She said: “We recognise that all vendors’ products may be found vulnerable.
“Microsoft welcomes the contest as another opportunity to engage the security community in productive dialogue around responsible disclosure and effective security engineering.”
Apple declined to comment, while Mozilla had not responded to our request for comment at time of writing.
You may also like...
advertisement
Latest Security Features
Q&A: The ID card commissioner talks cards and controversy
We spoke to ID card commissioner Sir John Pilling about his thoughts on the identity scheme and why we might all think he's a bit of prat down the line.
- So you've been hacked, now what?
- The problems facing Internet Explorer
- Year in Review: 2009 in your words
- Top 10 security predictions for 2010
- Year in Review: Top tech stories of 2009
- The worst IT disasters of 2009
- Five free security software suites
- How to stay safe shopping online
- Is it time to switch to IPv6?
Latest Security Reviews
Symantec Backup Exec 2010 review
Rating: 
advertisement
Most popular
- Head to Head: Office 2010 vs Open Office 3.1
- Google Street View slammed as 'a service for burglars'
- Apple offers new iPad if battery dies
- Apple shifts 120,000 iPads on first day on sale
- Google Nexus One review: A week with the superphone
- Street View goes UK wide tomorrow
- HTC Legend review
- Google expected to shut down China search soon
- Symantec Backup Exec 2010 review
- Will there be an out-of-band update for latest IE flaw?
Latest News Videos in Security
Video: Why security is everybody's responsibility
PlayRik Ferguson, senior security advisor at Trend Micro says it's up to all of us to make security work.
Whitepapers
Want more background on today's hottest IT trends?
Visit IT PRO's whitepaper library for more on virtualisation, encryption and other topics.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Firefox security
I note that FF 3.0.7 has just been released. Perhaps this was in response to the exploit described?
By gcd_8136a2c4175a on Friday Mar 20