IE8, Safari, iPhone All Fall At Pwn2Own Contest 223
SpuriousLogic writes "The annual Pwn2Own contest at CanSecWest is underway, and on the first day Web browsers fell to attack. Internet Explorer 8 and Firefox 3.6.2 on 64-bit Windows 7 and Safari on OS X all were forced to run exploit code. To add insult to injury, an iPhone was cracked and the SMS database lifted from it."
Updated 22:40 GMT by timothy: CWmike adds this interesting bit: "The only researcher to three-peat at the Pwn2Own hacking contest said on Thursday that security is such a 'broken record' that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software. Instead Charlie Miller will show the vendors how to find the bugs themselves."
Title misleading? (Score:5, Insightful)
Title misleading maybe... just a bit? Firefox got owned as well.
Re:Title misleading? (Score:4, Insightful)
Mod parent up. We all love firefox and all, but seriously, it deserves as much shame as all the other failed browsers. Submitter biased much?
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
If you have that much trouble with Firefox, why do you keep using it?
Re: (Score:2)
That was going to be my question. Pretty much I use Chrome for most of my browsing. If a page doesn't work, just IE tab it. Not even game to use Firefox these days due to sluggish performance and continual crashes.
I was, at one stage, a HUGE fan of Firefox. Before Mozilla fucked it up like they did with the original Mozilla/Netscape browsers.
Re: (Score:2)
Same here. Got tired of IE slowness and switched to Firefox. But incompatibilities, slowness and the plugin nonsense got me to try Chrome and I love it. So much faster. Never looked back.
Re: (Score:2)
Re: (Score:2)
I use it as my main browser at home but I prefer Safari or Chrome
This sentence is strange.
Re: (Score:2)
Re:Title misleading? (Score:5, Funny)
Wimp. Firefox is open source. Why didn't you fork the project, fix the crashing problem, and then offer the patch code upstream while distributing Firefox under your own branding?
That's how open source is supposed to work, you ninny. Why don't you actually participate in it once in a while, instead of just being an end user?
Re:Title misleading? (Score:5, Funny)
I propose a new moderator option:
-1 Woosh
Re:Title misleading? (Score:4, Insightful)
Re:Title misleading? (Score:5, Insightful)
What are you doing exactly that firefox crashes? Other than jinitiator problems, there's almost nothing that can do so.
Your lack of information makes me skeptical of vying for firefox instability. In fact, it sounds downright misleading. This is like saying "My car stalls sometimes". The answer is, sure, it does, but what are you doing to cause it? Firefox doesn't just "Crash on it's own" and neither does any browser.
Likewise, the same basically applies to safari, IE8, etc. As much as all browsers have security risks, their instabilities mostly don't exist.
Re: (Score:3, Informative)
Clearly you never visit sites that use Flash or other plugins.
Firefox the browser may not crash often. Firefox the platform does. And when it does, it takes down all my open websites.
I still use it anyway of course - no switching until AdblockPlus (or equivalent) is available for a worthy competitor.
Re: (Score:3, Informative)
I too have experienced crashes with Firefox since 3.6, and awful slow downs, in fact, I left it running overnight and locked my computer then came down the next morning to find my computer running slow. I checked task manager and found that Firefox was sat using 1.8gb of RAM, so certainly there seemed to be something screwy with memory management there.
I _think_ the problem is down to handling of some Javascript, when it's crashed it's been loading certain pages, but I can't say for sure. I've always had qu
Re:They had no choice, Slashdot headlines are shor (Score:5, Insightful)
IE8, Safari, FF, iPhone All Fall At Pwn2Own
It has fewer characters.
Or, focus on one area: IE8, Safari, Firefox all Fall At Pwn2Own
And they didn't bother to mention Firefox in the description either, which clearly had enough space to include the word "Firefox."
Google Chrome (Score:3, Interesting)
Not for 15 months (Score:2)
Re: (Score:2)
Chrome (on Windows) came out of beta back in 2008 [blogspot.com].
Gmail (again by Google) took over 5 years [techie-buzz.com] to leave Beta, so I could see it.
Well ... (Score:5, Insightful)
On the other hand, these security holes are real and need to be addressed by anyone and everyone that was shamed (this means MS, Apple, Mozilla, everyone) pronto!
Re: (Score:3, Insightful)
Re:Well ... (Score:4, Insightful)
App security may be generally terrible, but I believe that the fact really proves that the contestants can keep a secret until the contest.
On the other hand... (Score:5, Insightful)
the very fact that these people know what to do beforehand is proof that app security is generally terrible.
Well, I think you have a very good point there - but on the other hand, the developers do have to prioritize the work they do. Finding and fixing a serious, but hard-to-discover security flaw before this flaw has become widely disseminated may not be worth the effort. In principle "security through obscurity" isn't a good policy but in practice it's often good enough. If the software has a serious flaw but nobody knows about it, that's good enough, at least temporarily.
Re: (Score:2)
"the developers do have to prioritize the work they do."
Of course they have to, since they are a scarce resource.
"Finding and fixing a serious, but hard-to-discover security flaw before this flaw has become widely disseminated may not be worth the effort."
You are rigth... provided that was the case which, for the most part, it isn't.
We are no more on the glory days of Ada Lovelace or Alan Turing. We know (as a collective) what must be done. The case is that, for the most part, all those bugs are not "seri
Re:On the other hand... (Score:5, Insightful)
Nice, you've just contradicted every security researcher over the last however many years. Congratulations on coming across as a fool.
Dude, we disagree. It happens. You don't need to be a douche about it.
Software Engineering is an engineering discipline. That means the principles according to which the product should work are always tempered by the reality of how the work must be conducted. What good is it, for instance, if you have the most secure browser of them all, if nobody uses it? That's an extreme case, of course, in which security concerns are so heavily emphasized that they would compromise some other essential concern (for instance, it could fuck up the release schedule, interfere with work being done to make the software run quickly, or take development resources away from the challenge of trying to make the browser more appealing to its audience...) Obviously there are other intermediate outcomes possible. But generally speaking one can't aim for perfection. If you set out to make something perfect, it never gets done, because it's never perfect. Obviously the bugs should be fixed... But finding and fixing a security flaw before an exploit has made its way into the wild is not necessarily the best use of development resources. It depends on the situation, really.
Re:On the other hand... (Score:4, Insightful)
I usually aim for perfection, though I don't wait until then to release. Aiming for perfection is fine. Waiting for it is not, as attaining perfection isn't possible.
Re: (Score:2)
Software Engineering is an engineering discipline. That means the principles according to which the product should work are always tempered by the reality of how the work must be conducted. What good is it, for instance, if you have the most secure browser of them all, if nobody uses it?
The safest bridge is one that prevents people from getting on it.
Re: (Score:3, Funny)
The safest bridge is one that prevents people from getting on it.
But woe to those who go under it.
Re: (Score:2, Interesting)
Wow. Just wow. You realize that in any engineering discipline other than software "engineering", that attitude could quite literally leave you facing charges of criminal negligence in court? You follow best practices, you use the established procedures to avoid failure, you *do the work that has to be done* or you are
Re: (Score:3, Insightful)
No, he absolutely right. The safest one lane bridge will be one made with 10 bazillion cubic feet of cement and steel...with a few holes to let the water through of course. But, this is the real world, you can't do that. It would be ugly, environmentally harmful, and cost too much money; it wouldn't get built on real earth.
There's ALWAYS compromise for functionality. This is why things such as "margin of safety" exists. You don't build something that will not fail, you build something that a failure is, st
Re: (Score:2)
Re: (Score:2)
Yes, now that I know you have a gun, I'm going to pack Kevlar.
Re: (Score:3, Insightful)
my password on my bank site is 1234!ab. my bank account pin is 2389. my mother's maiden name is O'Conner. I have $37,890.12 in savings, and about $2,200 in checking (it varies)
I'm also a gun owner in a castle doctrine state.
Security through obscurity is a myth? COME GET SOME.
Well, thanks for the information, Mr. Anonymous Coward.
Re: (Score:2)
Re: (Score:3, Insightful)
Because it wasn't part of the contest due to its extremely small market share.
Re: (Score:2)
So 64-bit ASLR on Windows is flawed as well... (Score:5, Insightful)
Re: (Score:2)
So ASLR and DEP are both red herrings and don't fix the real problems with PC security!?
GASP! Where's my fainting couch?
Re:So 64-bit ASLR on Windows is flawed as well... (Score:4, Informative)
It was already known and acknowledged by Microsoft that their ASLR implementation on 32-bit Windows was rather weak, but apparently the 64-bit version of it can be bypassed as well, as all of the hacks of pwn2own on Windows 7 made use of return-to-libc attacks, which should be impossible on systems with address space layout randomization.
You can corrupt memory on 64-bit windows by just running MSFT's own development tools like VS.NET with resharper plug-in. VS.NET begins to corrupt the address space rather quickly. To run VS.NET with any amount of stability on 64bit windows, you have to run it through a third party wrapper application which patches VS in memory to make it large address space aware and stop the memory fragmentation.
Re: (Score:2)
Re: (Score:2)
That any program can do that is the real issue...
Re: (Score:2)
GP was talking about the process' own address memory. Of course any process can "corrupt" its address memory (that is, heap structures and stack frames), and that is true on any modern OS. OS only guaranteed that one process won't be able to corrupt (or, generally, access) the address space of another.
Re:So 64-bit ASLR on Windows is flawed as well... (Score:5, Interesting)
VS has never done this for me. Which version of Visual Studio are you talking about? Really VS.NET? Because that's 7 years old AFAIK.
VS 2008 is a 32bit application and it is not even large address space aware so when it is running inside of WOW (windows on windows) in 64bit Server 2008 R2, you will get memory fragmentation fairly quickly because of memory allocation bugs within the Wow subsystem of the 64bit version of any MSFT OS. As Sir_Lewk points out, any 32bit application can cause this problem. The less memory you have, they faster you will notice it.
See this page for information on the problem:
http://stevenharman.net/blog/archive/2008/04/29/hacking-visual-studio-to-use-more-than-2gigabytes-of-memory.aspx [stevenharman.net]
Here is a fix for the problem:
http://confluence.jetbrains.net/display/ReSharper/OutOfMemoryException+Fix [jetbrains.net]
Other OSes like OS X and linux do not seem to have these sort of problems. I am able to run 64bit apps in Snow Leopard while running in 32bit kernel mode for driver compatibility. Not only does windows not run 32bit apps properly in 64bit mode but it cannot run 64bit apps in 32bit mode and the 64bit version is a completely separate build of the OS.
I'm not a troll, read the links. (Score:4, Informative)
Re: (Score:3)
I did follow your links.
Note that the problem is Visual Studio's memory allocation policy, not WOW or any other part of the operating system.
Memory fragmentation is a well known problem for C++ applications (or any other non-garbage-collected apps) and it affects all platforms equally.
Maybe that's why you were modded troll.
Builds via the command line begin to fail on the 64bit machine after a few runs without my having to load either VS 2008 or the Management studio (which also loads the runtime). So in this situation both resharper and VS 2008 are removed as factors. The issue has to be with the way the WOW system allocates memory because you can perform the same operations until you are blue in the face on a 2GB 32bit machine without an crashes. So mr. anonymous apologist for MSFT, what is broken? Is every tool that works f
Re:So 64-bit ASLR on Windows is flawed as well... (Score:4, Insightful)
Wait, wait, don't tell me: Running an 8 year old development platform written by amateurs with an unsupported 3rd-party plugin in a 32-to-64-bit emulation layer on a modern operating system is unstable? Oh my fuck, it's Armageddon!
Re:So 64-bit ASLR on Windows is flawed as well... (Score:4, Funny)
"Wait, wait, don't tell me: Running an 8 year old development platform written by amateurs with an unsupported 3rd-party plugin in a 32-to-64-bit emulation layer on a modern operating system is unstable? Oh my fuck, it's Armageddon!"
You don't get it, do you?
That the application were unstable would be no news. That your 8 year old amateurish application can corrupt the memory space of a modern 64-bit OS *is* Armaggedon for the OS architect... or it should be, at the very least.
Re: (Score:2)
That the application were unstable would be no news. That your 8 year old amateurish application can corrupt the memory space of a modern 64-bit OS *is* Armaggedon for the OS architect...
It cannot. An NT process cannot "corrupt" (whatever that means in this context) the memory space of another process. If it is really what the original post meant, it's both outlandish and false. But I think that you rather read it wrong, and the actual claim is memory corruption within VS process, which is obviously possible by malicious or badly written code.
Re: (Score:2)
Wait, wait, don't tell me: Running an 8 year old development platform written by amateurs with an unsupported 3rd-party plugin in a 32-to-64-bit emulation layer on a modern operating system is unstable? Oh my fuck, it's Armageddon!
No, I am running VS 2008 and as I pointed out in another post, OS X can run 64bit apps in 32bit mode or visa versa no problem.
Here is a link to the more on the problems I was having and someone in the responses posted a link to a wrapper in memory patch to the fragmentation problem.
http://stevenharman.net/blog/archive/2008/04/29/hacking-visual-studio-to-use-more-than-2gigabytes-of-memory.aspx [stevenharman.net]
Re: (Score:2)
???
I don't see memory fragmentation being a problem with 64-bit address spaces for a very, very long time. Unless a contiguous range of 2^40 addresses is just not enough.
Re: (Score:2)
???
I don't see memory fragmentation being a problem with 64-bit address spaces for a very, very long time. Unless a contiguous range of 2^40 addresses is just not enough.
My development VM only has 2GB allocated to it. The instability is exacerbated if I do a full build of the entire tree via command line as the build will call a bunch of 32bit commands. Most of our developers are still on 32bit machines which are quite stable but I was developing software to target a 64bit server farm so someone thought it a good idea for me to develop on a 64bit VM.
Opening up SQL Server 2008 management studio at the same time as even a patched VS 2008 instance can be problematic. Allocat
Misleading; no credibility (Score:5, Insightful)
Re:Misleading; no credibility (Score:5, Insightful)
Isn't your point about Chrome invalidated by your point about the time taken?
Did no one attack Chrome because none of these researchers had an exploit that would work against it?
Re: (Score:2)
Isn't your point about Chrome invalidated by your point about the time taken?
Did no one attack Chrome because none of these researchers had an exploit that would work against it?
I'd like to see whether the exploit was
Re:Misleading; no credibility (Score:5, Insightful)
I believe what you really meant to say was that we shouldn't fall into the trap of believing that Chrome is actually safer due to the fact that no one really targeted it in this contest.
I've done my share of "Digital Combat Exercises" and you are correct that we should only view the contest as a verification that flaws exist, and not as a certification that a particular platform is safe.
For my first competition, my team concentrated on all the windows machine on the network because we had a list of known exploits and figured that we could exploit them the quickest and therefore accumulate the highest score possible within the time limits. All teams used the same strategy, and the Linux machines weren't even targeted. This wasn't because Linux was safer, it was because we all knew Windows was a softer target. This made for a some very close final scores.
For the following year's contest (which I couldn't participate due to a schedule conflict), my old team paid attention to the known exploits for Linux and started targeting them to guarantee a larger lead going into the final minutes of the contest.
I think you'll see this pattern in all "hacker" contests. Each year more platforms will fall as each team strategize on what will give them the edge during the time alloted. You'll probably see Chrome fall next year. Look at Safari in Pwn2Own, it wasn't until 2 years ago before people started to seriously attack it for the points.
Re:Misleading; no credibility (Score:5, Funny)
This wasn't because Linux was safer, it was because we all knew Windows was a softer target.
Whoa, whoa, WHOA. Just stop right there, Bill. I'm going to have to teach you a thing or to about what you're allowed to write here on Slashdot. Now give me a second to get on my high-horse.
Reasoning is not welcome here.
That's right Bill. We don't need your reasoning here. We know we are right. This is Slashdot! We are the tech community. We know our OSes. We know our software. Just because of some contest with some rules and some teams that want to win the contest by the rules doesn't automatically invalidate our knowledge and wisdom as Slashdot.
Linux is more secure because it is open source and licensed under the GPL. It doesn't matter if it is still unsafe by your standards.
You see, Bill, we on Slashdot do not need to review the source code of Linux because we have declared it safe. Why is it safe? Because it is GPL. And everyone knows the GPL is safe. Therefore Linux is safe, Bill.
IE8 is mentioned first because it is owned by Microsoft, and Microsoft is evil due to historical technology atrocities against other for-profit software corporations. Therefore IE8 is the worst piece of software ever to exist.
So the reason why IE8 falls faster is not because you and your team thought the Microsoft product was "softer". It was because it was the spawn of the devil! Even wackos know the spawn of the devil should be hacked first. Don't you agree?
Firefox is not listed in the title because we need to get a head start on bashing proprietary software rather than reading the summary.
As a real Slashdotter, I pride myself in not reading the article let alone the summary. The title effectively summarizes the direction of all comments in the thread. And that direction is to bash proprietary software, starting with Microsoft first.
Here's a tip, Bill. The headline on Slashdot should give you a hint at what kind of comment you should post on Slashdot. If you are not capable of discerning that from the title, only then may you read the summary. Reading the article is only reserved for picking out additional points to backup your original claim, not to invalidate Slashdot's wisdom. And that would never happen because Slashdot's wisdom is never wrong in the first place.
Apple and Google are bad... but did you know that OSX is really UNIX and Webkit and Chrome are open source?
See, once again open source products are good for you. You should use open source products!
I hope that clears things up, Bill. Please refrain from posting useless comments in the future.
Thanks,
/.
Re: (Score:2)
Re:Please elaborate (Score:4, Interesting)
Sorry about that. I've really made a confusing comment.
What I meant was that Linux wasn't necessarily safe, it was just a much harder target than Windows. Why? Because there were plenty of working exploits in the wild for Windows, yet all we had were a list of exploits for Linux that needed to be coded.
So Windows proved to be the "softer" target just because of time saved. Linux wasn't necessarily "safer" because we had the RedHat bulletins in hand and could have taken advantage of them but didn't because it would have required more time per point scored when compared to Windows. Why work hard to gain fewer points? The scoring didn't factor difficulty in that first year. I don't even know if they do now.
Unlike Pwn2Own, Digital Combat Exercise (love it when the Army gets involved) did not disclose the network layout. So we had to map it, and exploit it in 2 hours. This made it more of a race than to demonstrate security hardness of an OS. If anything, it more of a demonstration on the importance of a qualified IT staff.
Anyway, the only thing that prevented Linux from being exploited that first year was laziness (and lack of time) on our part. We assumed Linux was hard to exploit, so we didn't bother. The following year the team didn't have that assumption and took advantage of some machines that didn't have up-to-date patches.
Hope that clears up the confusion a little.
Huh? "Pwn2Own" Has No Credibility? (Score:2)
Why would you ever imagine something called "Pwn2Own" might ever have credibility in the first place?
Re: (Score:2)
Did they try to crack Opera? (Score:2)
Article is so poor in detail :(
Re: (Score:3, Informative)
Holy Shit (Score:3, Funny)
Instead Charlie Miller will show the vendors how to find the bugs themselves.
Well, there's an idea. Is it something that really can be taught?
Re: (Score:2)
Instead Charlie Miller will show the vendors how to find the bugs themselves.
Well, there's an idea. Is it something that really can be taught?
The bugs he found can be taught on how to fix, but will it help them find different bugs is more the question.
Re: (Score:3, Interesting)
No, really, guys, is it something that can be taught? Or is it more like having the knack for programming in the first place? Like having the cleverness to come up with certain algorithms? If you can describe it well enough that you end up with something ... that ... can ... I bet ... you end up with a program? Um, Purify? Valgrind? I'm not a programmer, but I think those only go so far, right? So we don't have the knowledge in question codified, I bet, so I suppose there may also be some challenge
Sandboxing news! (Score:2, Informative)
"However, neither the Firefox nor the IE 8 exploit could overcome the sandboxing features in Windows 7 Protected Mode."
big, good, relevant, no, yes?
Re: (Score:2)
I'd like to see crackers write their own browsers (Score:2)
Re: (Score:2)
Re: (Score:2, Insightful)
So if you're such a badass programmer please link to your assembly-coded web browser that contains zero exploits. Oh, you don't have one and you're just a posturing tard? Yeah, that's what I thought.
Re: (Score:2)
So if you're such a badass programmer please link to your assembly-coded web browser that contains zero exploits. Oh, you don't have one and you're just a posturing tard? Yeah, that's what I thought.
You don't have to be a master of the subject to be able to point out it's flaws. Pointing them out helps to see the problems so they can be fixed. I can tell when a cars engine is not working, doesn't mean that I shouldn't keep quiet about it if I can't build a better one.
Re: (Score:2)
Yeah... with that attitude I wouldn't be surprised to find out that you're the one responsible for the f00f bug.
Re: (Score:2)
I don't get exploited, nimrod
I don't think Nimrod [wikipedia.org] means what you think it means.
Security is dead (Score:3, Insightful)
While I'm all for tight code where every byte is important, one could just as well argue that languages used aren't high-level enough.
Operating systems and apps are often coded in languages like C or C++, that allow a lot of things, which turn into vulnerabilities down the road. Assembly is king of this: it allows a progammer to do anything, including things that aren't safe, smart or correct. No matter how good the code you produce or how comprehensive your testing procedures are, the sheer size of softwar
Re: (Score:2)
There's a lot of research around (see seL4 microkernel or Coyotos for example), but results rarely finds its way into mainstream products.
Because it takes 10 times as long to write code that is totally formally verified?
Re:Security is dead (Score:4, Insightful)
Vista, the pile of problems that it is, took thousands of people about 6 years to create.
It would have been simply infeasible to increase the work by 10x (since 10x as many people couldn't do 10x the work -- overhead and all -- we're talking probably at least 15x - 20x increase in cost to develop, and probably more elapsed time regardless of the number of engineers).
Even if it costs a trillion dollars, spread over 10 years, to fix things that could have been prevented with the 10x effort up front, it simply wouldn't have been possible.
Ultimately, we would all have to settle for slower innovation and simpler products.
So far, the market has decided that a somewhat-buggy, vulnerable, but cheap, advanced, and rapidly developed product is more valuable than an expensive, simple, but bulletproof application for most people's needs.
For some things, it is probably worthwhile to scale back expectations of complexity and innovation to increase invulnerability and guarantee correctness. Software running on the space shuttle or a nuclear sub strikes me as belonging to this category.
But, for right now... I wouldn't pay $2500-$5000 per seat for an operating system that was as advanced and capable as Windows 7, but which had zero crash bugs and zero security vulnerabilities. (and similar outsized pricing on other software that I use)
Nor would I be willing to pay today's prices for secure versions of 10+-years-ago software when the same prices could get me modern software.
Until we can find a way to decrease the comparative cost of building provably-secure systems (versus what is available with rapid development and "best efforts"), it isn't going to happen for most software.
Re: (Score:2)
You talk like they're doing it wrong.
Security is always a tradeoff. Yes, you can have a verified browser - and maybe you can reach Lynx features in six years. And remember, you'll also need a verified subsystem (L4 is a microkernel, it doesn't include much of the stuff you get from e.g. Linux), libraries, etc.
It's no different than physical security. Why don't we all have a bodyguard and bullet-proof cars? It's simply not cost-effective.
Re: (Score:3, Funny)
Re: (Score:2)
Assembler, by a rule, is just harder. Most 'programmers' couldn't understand the machine's native language if their life depended upon it. They are relying upon someone else's code to translate down to that, and if those methods are flawed they're screwed.
All security begins with the basics, and for computing devices, that basic is their native machine language. If you ignore the basics, you're going to be fucked later on.
Re: (Score:2)
It's not that I can't understand it, it's that I can't read it. Alas, I simply cannot tell the difference between 2.8V and 0V.
Re: (Score:2)
It's not that I can't understand it, it's that I can't read it. Alas, I simply cannot tell the difference between 2.8V and 0V.
That's actually easier to tell than you think.
Re: (Score:3, Insightful)
And the machine code depends on logic circits which in turn depend on complex software tools that design those circits, which depend in turn on, blah, blah, blah,.... Sooner or later you have to face the fact that if you can't trust anyone to do thier job properly then you're fucked before you even start.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You make it seem like there's more to the saying that we're supposed to recall. Like, we lean back and think for a second, and then our eyes light up as we have an epiphany about how that multi-part proverb that relates to not killing the messenger is the perfect metaphor for the OP's lack of analytical thought.
.
When, in reality, the entire proverb is:
Don't kill the messenger
So I vote we come up with some new clauses to add to that proverb. Lik
Re: (Score:2)
If you believe wikipedia on its origins, the whole thing might actually be "don't kill the messenger because he's not lying" (In Henry IV, they threaten to kill the messenger because they don't believe his message) .-* The More You Know.
Re:So many exploits, so few hydrogen bombs (Score:4, Insightful)
Re: (Score:2)
"If I don't know about it, then it must not exist!"
I gather that is a paraphrasing of "what you can not see can not hurt you", which is more accurately "what you can not perceive can not effect you" which oddly enough is an actual fact.
Now I'm not saying this is how we should handle security, just say it is actually a valid statement.
It's also not what the GP was saying. They were saying that if we kill all the people that are smart enough to exploit the security holes then we would need not be concerned with anyone exploiting those security holes. Wh
Re: (Score:2)
Re: (Score:2)
Middle management.
Re: (Score:3, Informative)
You get pwn3d if you go to a malicious page, go to a legit page with a malicious banner ad/embedded iframe, get redirected (via malicious WiFi AP) to a malicious page, etc.
This is the third year in a row that Miller did this. He has street cred, so think before you call BS.
Re: (Score:2)
All of these hacks are real-world drive-by attacks against fully patched machines with default OS mitigations in place (ASLR, DEP, sandboxing). You get pwn3d if you go to a malicious page, go to a legit page with a malicious banner ad/embedded iframe, get redirected (via malicious WiFi AP) to a malicious page, etc. This is the third year in a row that Miller did this. He has street cred, so think before you call BS.
From your explanation the issue is then with WebKit and not OS X.
Re: (Score:3, Interesting)
From your explanation the issue is then with WebKit and not OS X.
WebKit ships in the box that says "OS X" on it.
(by the same token, IE exploits are counted as Windows security issues - and rightly so)
Re: (Score:3, Informative)
True, but I thought the point being made was that WebKit affects more than just Safari.
It does. Since WebKit is a library, it will affect everything that uses it. Since it's a standard OS library, any OS X application that might want to render some HTML will probably use it.
Isn't it the core of Firefox these days?
Er... no. Firefox is still Gecko, and they don't plan to change.
And others?
Chrome uses WebKit, but I'm not sure if it actually uses OS-wide WebKit library on OS X, or its own version. I suspect the latter, since, supposedly, they did tweak it quite a bit.
Re: (Score:2)
FTFY. If you're going to reflexively slam Mac users, get your in-jokes right.
Re: (Score:3, Insightful)
This is not about just Safari and OS X - all the details about browser exploits, including for Firefox and Windows are just too scant in detail.
Re: (Score:3, Funny)
I've had it with these motherfucking bugs on these motherfucking browsers!
Re: (Score:2)
It's not the first [computerworld.com] time [computerworld.com] Apple products fail at pwn2own.
Re: (Score:2)
But Three makes a pattern, they can no longer claim the first two were a fluke. It shall certainly be a restless night for the Jobites.
But the fanboi is a resilient beast, the fear shall be wiped from their minds and be filled with the love of Jobs, with this love they will troll the intertubes with twice the gusto, conveniently forgetting that pointless P2O competition
Re: (Score:2)
It's an insult because Apple fanboys tout the superiority of Apple's security. It's an injury because Apple touts the superiority of Apple's security.
It sounds like your an AC with nothing worth whining about.