digg

Facebook Connect Join Digg About
See the original image at arstechnica.com

Top hacker says Safari is "easiest browser to hack"

arstechnica.com Security researcher Charlie Miller, who last year won $10,000 for hacking into a MacBook Air via Safari in just two minutes, says he thinks Safari will be the first browser to fall at this year's Pwn2Own contest.

Who dugg this? Made popular Mar 6, 2009

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

388 Comments

show profanity settings
expand all
  • dvicklund, on 03/06/2009, -153/+504Safari is a shoddily written program, much like a lot of Apple software, people just don't notice it until it moves into the Windows realm. There's a reason your iTunes takes 5 minutes to load up and Quicktime barely even runs. Or maybe they do notice it, they just don't want to admit that they made a mistake buying a $2500 computer that they could have gotten for 1/5th of the price if only they didn't just HAVE to have that bitten apple on the side.

    Feel free to digg me down, fanboys, but deep down, you know I'm right. >:-D
  • heystoopid, on 03/05/2009, -61/+181Mind you all "Snapple" fan boys will ever admit to the insecurity of their favorite browser even to themselves .
  • Zaloo, on 03/06/2009, -6/+120I predict a riot...
  • redgiemental, on 03/06/2009, -13/+103As someone that use Safari regularly I'm actually interested in this. I'll see how the competition turns out.
  • ligyron, on 03/06/2009, -3/+89So I guess this "script kiddy" who holds a PhD in mathematics hacked the Macbook Air at the Pwn2Own contest using a tool he downloaded from a warez site?
  • xylemverse, on 03/06/2009, -7/+90Guys, there is no reason to feel so passionately about a For-Profit company's product.

    Apple does not do charity, why should Charlie Miller. Its not like he is selling his insight into Safari's security flaws to some Russian or Chinese black hats who would use it for malicious purpose.

    If he wins, he makes money and Apple gets to know the bugs they need to get fixed.

    End of story, and BTW Apple is not a religion.

    Peace =)
  • xylemverse, on 03/06/2009, -7/+82Last Pwn2Own contest Apple Macbook Air was hacked within 2 minutes.

    If such script kiddies can hack an Apple computer so quickly then apple fans should be concerned.
  • inactive, on 03/06/2009, -9/+69Oh please. The problem isn't the apps, it's that Apple doesn't know how to properly port their apps to Windows. It definitely doesn't leave a good impression. Surprising really when you consider that Microsoft Office on the Mac is a native port.
  • adriaaan, on 03/06/2009, -12/+70Apple fan boy here. ***** Safari, Firefox ftw!
  • tama00, on 03/06/2009, -5/+59Guys don't panic just disable the 'open safe files' options in safari, its a stupid exploit. The guy uploaded a zip file and had a shell script in the zip file and then it automatically executed the script file thinking it was a zip.

    Apple are working on the fix and in the meantime they published this http://support.apple.com/kb/HT2128
  • bluestripes0, on 03/06/2009, -14/+66safari 3 or 4?
  • fabriciom, on 03/06/2009, -13/+59That depends in which mac you chose. Look at the pricing for the new mac pro. Is definitely an ass raping.
  • dk64, on 03/06/2009, -48/+93windows vista applications are definitely slower than mac applications. If u open itunes and quicktime on a pc its going to take 5 minutes, but on all the macs i use, all the applications open seamlessly and rarely stop responding unlike windows applications.

    people have this notion that anyone who thinks a mac is better than a pc is all of a sudden a "fanboy". I dont care about apple. I just prefer their computers to pc's.
  • mr5150, on 03/06/2009, -16/+57never really taken to Safari.....always found it a pain.

    FF3 and Opera are so much more friendlier and packed with so much more usability.

    Not an issue with me as Safari isn't something i ever use.

    Call me when mister super hacker can take control of my machine through those browsers.
  • t0ny, on 03/06/2009, -7/+45I never liked Apple's software when I was using Windows but it run great on OS X. My iTunes takes 4 seconds to load and Quicktime takes 2 seconds.

    I'm a Apple users but not a fanboy.
  • zeth006, on 03/06/2009, -40/+78Well, how could they? The truth behind their purchase--which they paid nearly double for the price of an equivalently-speced PC--would hit them so hard. The truth hurts. Part of the myth behind Macs offering better value is the other fairy tale that they're impervious to worms.
  • hawk0168, on 03/06/2009, -1/+38It looks like someone hasn't played Bioshock...
  • AngelBunny, on 03/06/2009, -4/+40safari is a front end. it is more about webkit.
  • Cwo655321, on 03/06/2009, -13/+49but it looks sexy?!?
  • FUR10N, on 03/06/2009, -7/+42I wish I was that cool.
  • davedelong, on 03/06/2009, -8/+36Buried as inaccurate. The guy got through through a hole in PCRE, which Safari *uses* but is not part of the actual app. It was patched within two weeks of the hack.

    Cite: http://www.thetechherald.com/article.php/200817/78 ...
  • zeth006, on 03/06/2009, -16/+42I take that back. A Mac Pro cost nearly 4 times what my Dell Vostro with the same graphics card and spec cost.
  • ryanonfire, on 03/06/2009, -5/+30Fapple.
  • Shaggy3, on 03/06/2009, -7/+30I love when they talk about hacking things, like all you do is press a button to bring up some virtual maze and you have to get through it as fast as possible.
  • digitalpencil, on 03/06/2009, -2/+25@zeth the Mac Pro comes with a Nehalem Quad, it's not exactly comparable to the Vostro's Q8200 (just because it has roughly the same GHZ, doesn't make it the same chip).

    If you're looking for a Dell unit comparable to the MP than you're looking at the Precision workstations which still don't match the Nehalem cores but are pretty comparable otherwise, even with all the add-ons they match up in price pretty close.
  • inactive, on 03/06/2009, -3/+25I'm the same way with Google Chrome, I'll be checking back to see how that does...
  • TheNik, on 03/06/2009, -5/+26@zeth006: Wow... Close, but...

    The best Vostro I see on Dell's store has a 2.33GHz Core 2 Quad (4MB L2); 3GB DDR2 separated very strangely into 2x1GB plus 2x512MB; 250GB hard drive (lol, rite?); and an overwhelming (/sarcasm) 256MB Radeon HD 3450.

    The LOWEST spec Mac Pro has a 2.66GHz Xeon (8MB L3); 4GB DDR3, separated how you think it'd be; 512MB GeForce GT 120; and a 640GB hard drive.

    Sure, the price is something like $900 to $2500, but comparing the two with those factors as well as the rest of the features, the Mac Pro blatantly stands out. I'm not trying to be a fervent fanboy or anything, but...
  • MediaCrisis, on 03/06/2009, -5/+24iTunes doesn't take 5 minutes to load for me. More like 15 seconds.

    Personally, I have a MacBook Pro for graphics, a PC for web dev and gaming, and I'm buying a netbook with Linux on it. Please don't assume people who use Apple products shun other hardware/operating systems and dry hump their macs on a twice daily basis. Some do, don't get me wrong, but not all of us.
  • Cerebron, on 03/06/2009, -9/+27I really haven't had any native windows apps stop responding.
  • NoozeHound, on 03/06/2009, -3/+21Relevance to security of Safari = 0
  • InorganicMatter, on 03/06/2009, -2/+19We shall see. The last exploit was actually an exploit in the open-source PCRE Library, and not Apple's code. The same PCRE exploit was used to hack the iPhone as well, and was found+patched in several Linux distros. Kind of makes you wonder who's the ones making crap software here: Apple, or the Perl project.
  • KibibyteBrain, on 03/06/2009, -0/+17Webkit is a relatively new hunk of code and the pace of non-security development on it has been immense due to the lack of a good, easy to use, open source basis for rolling your own web rendering apps. People like Apple and Google still see lots of niceness in using it to run their apps, but its far from hardened. The good news though is that the Webkit code is not a steaming mess, and so any security researcher who can code is welcome to tighten it down, if they really feel like helping Apple and Google that much. Plus, I do have to point out that if Microsoft came out with a new web engine like Webkit that finally didn't blow but what really rough around the other edges, people would bash them to hell.
  • theskillwithin, on 03/06/2009, -20/+37My experience on a Mac, Safaria is so much FASTER than firefox.
    i was a firefox fan on windows and was so mad when it was so slow on mac, slower ie on windows dare i say.
  • Digitalicious, on 03/06/2009, -0/+16Well, I can't say that I use the browser, but I do love what the Webkit team is doing in terms of promoting web standards. I wonder if any of the major security short comings Miller talks about are direct results of the browser's rendering engine, and if any of these issues show up in Google Chome.
  • Prosequi, on 03/06/2009, -7/+23Top Hacker...ha - he was given root access to, and actually sitting at, the machine in question - no remote hacks here. So, if someone is sitting in your house at your machine, the security of your browser has got to be about the least of your worries.
  • dvicklund, on 03/06/2009, -14/+30And I prefer Linux, not for stability or quickness, but for complete and total customization. Oh, and it's free, but that's beside the point. The point is that everyone's computing experience is highly personal, no matter which way you look at it. There's certainly no reason to fight over operating systems, but there's definitely cause to laugh at people who are wasteful with their money. Take, for instance, the earliest adopters of the iPhone, they bought it just because it was a shiny new Apple product fresh out of the factory, and look what happened. The price went down dramatically within a matter of weeks, and mere months after that a new version came out with 3G and other miscellaneous, better features.

    On the other hand, those of us average consumers who waited for a while to buy the next big wave of technology, touchscreen phones with everything, were rewarded with other companies coming out with similar products in the United States and Europe that not only blew the pants off of the iPhone, but in many cases were more feature-rich and generally cheaper as well.

    Anyway, I laugh at people who are stupid. That's how I roll. And I just so happen to define stupid as being wasteful and not making the best decisions possible with their money/life.
  • dvicklund, on 03/06/2009, -2/+18You would think that one of the few programs that is actually needed on multiple platforms by a large majority of their customer base would be something they'd spend a little more time on perfecting, hmm?
  • djbutnot, on 03/06/2009, -14/+29I really like my MacBook, and this is coming from someone who was quite anti-Apple for sometime. The problem with the Apple software-on-Windows is that Apple try to shoehorn their user experience into Windows, which runs off a completely different paradigm to OS X. Safari 4 is Apples first real attempt to give Windows users a normal Windows experience. Hopefully the others follow suit. Plus, the MacBook range is quite nicely priced for 13" laptops (at least, in New Zealand).
  • dvicklund, on 03/06/2009, -6/+21In America. In Japan, they've had phones that outpace the iPhone in every way at a fraction of the price. I read recently on this site that the iPhone was doing terribly in Japan - so badly, in fact, that they are considering giving it away with new contracts. Just like the Samsung flip phones that everyone and their mother seems to have these days.
  • utnow, on 03/06/2009, -4/+18Don't kid yourself. Office on mac is the same embarrassment to Microsoft, that Safari for windows is. Dropping preference files in documents folders, installing updater daemons. It's just a giant ***** that gives people the ability to stay within the Office ecosystem even though they want their shiny new apple.

    Apple meanwhile wanted Safari to run on windows so devs could see what their new iPhone web-apps would look like without having to buy new computers to do it. Has nothing to do with market share and never did. The only reason Apple improves it at all is so that the default browser in OSX is pretty for new users right out of the box.

    Neither company has any reason to do any better than provide basic compatibility.
  • r3zonance, on 03/06/2009, -5/+19"Last Pwn2Own contest Apple Macbook Air was hacked within 2 minutes"

    Wasn't it actually 2 days and 2 minutes? The first two days they weren't allowed to "direct anyone to browse to a web site".

    Also the hack that was being demonstrated would have worked on ANY of the platforms offered for hacking. The bloke has said "he wanted to win the MacBook Air", so that's what he tried it on.
  • dvicklund, on 03/06/2009, -4/+17"Hello, I'd like to arrange a meeting with the president for the prime minister of New Zealand. Yes, it's a country!"
  • pentiumii, on 03/06/2009, -0/+13no you are misleading

    he actually found a flaw in adobe flash for safari using that flaw to get root in OSX

    yes he got OSX using a combination of adobe flaw and safari

    and this same trick would have worked on a windows machine as well if u where using safari on windows
  • zip22, on 03/06/2009, -4/+17zeth, how did you configure a vostro like a mac pro?
  • xprojects, on 03/06/2009, -0/+12Do we always base our world knowledge off what a single individual says?

    There is no such thing as complete security. All applications have bugs and exploits, always.

    So why is this in the top ten? A chance to fling mud at Apple? Flame-bait for fanboys? Yeah big deal. This is stupid. All these browsers have had serious security problems.
  • Digitalicious, on 03/06/2009, -1/+13The article isn't about hacking a Macbook Air, it's about hacking Apple products through Safari (and Safari Mobile). The particular computer just happened to be a Macbook Air. The problems are inherent to Safari's security, the browser shipped with the Mac operating system (and often championed as a very secure browser), which Miller says is the easiest of the front-line browsers to hack. The point is, if Miller is correct, all Apple products which run Safari, and any PC running PC versions of Safari could be seriously at risk.
  • dvicklund, on 03/06/2009, -3/+15Oh, come on, no Flight of the Conchords fans? That's impossible!
  • slaystench, on 03/06/2009, -1/+13If that's all this "top" hacker is doing, he needs his title relinquished.
  • inactive, on 03/06/2009, -0/+12What this guy did gets you about as much hacker cred as using google to check open directory listings and saying you hacked into a website.
  • Logal, on 03/06/2009, -4/+15I also like how Mac bashers don't bring out any credible evidence to their theory of overpriced hardware. Build me a comparable laptop to the base Macbook Pro, including software, and if it comes to less than the base price, I will give you the benefit of the doubt. There. Now that's a deal.
  • Fetching more discussions...
    Show 51 - 100 of 399 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.