back to article Making sport of browser security, hackers topple IE, Safari

Contestants in a high-stakes hacking contest had no trouble toppling the Apple Safari and Microsoft Internet Explorer browsers, proving for a fifth year in a row that no software or application is safe from people with the expertise and motivation to exploit them. The attacks came on Day One of the Pwn2Own contest, which pays …


This topic is closed for new posts.
  1. RPF
    Thumb Down


    ...also fell quickly. Why no mention of that?

    1. Anonymous Coward
      Thumb Up

      was wondering

      I was wondering how FF performed, being my own browser of choice. Likewise Opera.

      (I just prefer it, i dont believe FF is any less hackable than anything else out there)

    2. graeme leggett Silver badge

      Could be

      Because these are both combinations of OS and browser by the one company (who ought to know the ins and outs as good as anyone) one might assume (wrongly as it turns out) that these would be the most secure combinations.

      I'm sure the other hacks will get a mention in time

      1. erkulas

        Couldnt be

        I would argue that in as a rule of thumb having a more integrated (and thus complex) system makes for a more insecure product. So in theory Opera/FF have a bit better chance of being secure than IE9 or Safari .

        Anyhow the Spaceshuttle does fly better than a brick, so every theory has exceptions :) .

    3. Anonymous Coward
      Anonymous Coward

      What year would that be then ?

      "The Chrome and Firefox browsers will be the target of hackers on the second day of the contest."

  2. Tigra 07

    Not sure if this is even a good idea but...

    Shouldn't they realistically get to hack all the browsers on any available operating system?

    Like FF on iOS or Windows, Safari on both, Chrome on both and so forth?

  3. Anonymous Coward

    Microsoft and Apple both suck

    I pronounce this flame war officially open.

  4. dave 46


    Either there are nefarious back-room deals and bribery afoot or Chrome is actually pretty damned secure.

    Who'd have thought.

    1. Anonymous Coward
      Anonymous Coward

      I suspect

      its because Its not a terribly tempting target for hackers at the moment due to its limited userbase.

      They also seem to be the most pro-active about fixing bugs quickly.

      (Something FF used to be, but seem to be not quite as good at these days, IE does once a month, sometimes, and Safari seem to do a lot less than any of the above)

      1. BorkedAgain

        @ Spodula

        Y'reckon? You don't think the extra 20k on top of the 15k standard bounty, plus the kudos from the other hackmasters would tempt anyone?

        More likely scenarios (as suggested elsewhere) would be:

        * bought out for 36k + job + second-hand car with odd holes in roof

        * Exploit no longer works on Chrome 10

        * Bizarre GooNav accident drives him into a river en route to contest

        Feel free to choose, depending on your favourite shape of tinfoil hat...

        1. CD001



          * Bizarre GooNav accident drives him into a river en route to contest


          lol - that is all :D

    2. noboard

      Chrome not hacked

      Iirc from last year, the hackers could exploit Chrome fairly easily, but they couldn't get out of the sandbox, so the exploit was limited. I'm pretty sure nothing's changed and if someone could exploit it, they would have.

      What I'd really like to see is how hackers fare against Firefox and other browsers with common plugins enabled (noscript and suchlike).

  5. Anonymous Coward

    Sorry, there must be an error in the article

    Did you say the Apple Mac and Safari had been hacked on the first attempt?

    No, impossible. Everyone knows they are "unsinkable"

    IE we expect to be hacked. Apple's "security by obscurity" is clearly not working.

  6. Anonymous Coward
    Anonymous Coward

    Why no Firefox?

    Was Firefox not in the contest?

    1. two00lbwaster

      No Firefox results because it was delayed until day 2

      So anyone saying that it has been hacked already is wrong.

  7. PlunderBunny


    "The contestant [to attack Chrome] never showed."

    Google take browser security _very_ seriously.

  8. Jacqui


    "and just one to attack Chrome, which in addition to the $15,000 prize awarded by Pwn2Own sponsor Tipping Point, also fetched $20,000 from Google. The contestant never showed."

    This probably means the exploit either failed, was sold for a much higher fee on the black market

    or google bought him off.

    I assume the worst case scenario. And 15K for an expliot that took nine months is *cheap*.

  9. Anonymous Coward

    Liar Liar

    But, but but... sniffle, Macs are perfect and it was only exploited because you're all nasty nasty Windows Fanbois in the pay of Bill Gates, Our Lord Jobs would never lie to us and allow us to worship at his feet with flawed software.

    And cue fanbois in 5,4,3,2.......

    Pants on fire obviously....

    1. Giles Jones Gold badge

      Read the article, it has the facts in it

      Did you even read the article?

      Windows exploit time to develop: 6 weeks.

      Mac exploit time to develop: 9 months.

      The exploit on the Mac was run while the user was logged in as an administrator. Apple don't recommend this and you certainly wouldn't run your desktop as root on Linux.

      1. Andrew 102
        Thumb Down

        Maybe you should read the article..

        It clearly states he found it 2 weeks after creating the tools needed and then held on to it for 9 months.

      2. JEDIDIAH

        Trying to avoid the truth...

        This exploit runs under whatever priveledges your user has just like any other Trojan. While it's nice that the core system is not infected, you still have the problem that your own data could be toast or that you could be hosting all sorts of illegal content.

        Not running as root does not "solve" this problem.

        A Safari equivalent of NoScript might however.

      3. Anonymous Coward
        Anonymous Coward

        Original AC

        Errm, perhaps those rose tinted glasses they hand out with the Koolaid to fanbois need cleaning?

        Give them a wipe over and read the article properly, once you've done that I'll graciously accept your grovelling apology as a reply in the forum.

  10. Anonymous Coward

    Chrome not hacked....

    ....apparently the guy is still wandering around trying to find the place, because Google maps mysteriously keeps sending him round in circles....

  11. JDX Gold badge

    Mac malware

    So why are there not Mac viruses and drive-bys out there? Or are there but we just don't realise it? Trojans is one thing but website-driveby attacks are quite another.

    1. GatesFanbois

      Here's yer title

      Probably because there wouldn't be enough of a return for the criminals to go to the trouble of doing it. Hacks on windows are prevalent not just due to them being easy but also because there is a huge number of people using the system. These two factors combined result in a nice return for the criminals. As OSX is such a minority system then the return is much less so why go to the trouble.

    2. Ammaross Danan

      Carpet Bombing

      Apparently you missed the /very public/ articles about the Safari drive-by-download they likened to "carpet bombing..."

      That and it's a simple law of economics. You expect the best return by targeting the largest market. I know if I stuffed a virus on a drive-by-download site, expecting to hit perhaps 100,000 random targets (before the page is taken down by the powers that be), I'd load it with a windows virus. Why? 90,000 (90%) of them are likely to be read on a PC (vs the 5.19% Apple). Same principle applies to the likelihood of spreading (email or otherwise).


  12. Anonymous Coward
    Big Brother

    "The contestant never showed."


  13. JaitcH

    How can this be? Apple software nis perfect - ask any iPhan

    Not withstanding all the expertise his billions can hire, Jobs gang still can't do the job perfectly - despite what they claim.

    At least Microsoft is more realistic, they know they are not perfect and have given the the pretence, just using the hackers for a free quality check. Still after all these versions of I.E. you would have thought they would have performed better.

    1. Giles Jones Gold badge

      Nobody is perfect

      Has Apple or Microsoft even claimed to write 100% bug free software that is absent of design flaws?

      Nope. The difference is in how many flaws are there due to backward compatibility or ease of use. Windows was the king of backward compatibility and ease of use and they've moved back from that position with Windows Vista and 7. But there's still a lot to do.

      You have to remember that these hackers are pretty exceptional at what they do. Now imagine how long it would take them to work out an exploit if they swapped places, the OSX guy tried to hack Windows and the Windows guy tried to hack OSX. It would take them a long time to get up to speed.

      The fact is Windows is the platform that gets exploited the most and those people wanting to exploit the Mac would need to either buy one or use a hackintosh. Then get up to speed with it.

      The sort of people who buy Macs don't intend to exploit it and ruin the experience.

    2. Anonymous Coward
      Anonymous Coward

      How are you...

      Any less of a fanboi than the 'iPhans' that you tritely and obtusely refer to? "At least Microsoft..." Yeah, yeah yeah, still nothin' but a troll. What were the house rules on trolling again El Reg?

  14. krambam

    So what does this mean for the iPhone?!?

    I don't use Safari on my MacBook given it's dubious "heritage" in this competition. However, given Safari on iPhone is your only choice, what do these exploits mean for that?!? Are the iPhone version or iOS sufficiently different from the OSX version so as not to be exposed?!?

    1. Anonymous Coward
      Black Helicopters

      No Opera on iPhone?

      Can Opera not be installed on iPhone? I installed Opera on my iPod Touch (from the App Store).

    2. irneb

      RE: So what does this mean for the iPhone?!?

      Probably to an extent. I think the iOS is a small bit different than the OSX on the macbook. So the "commands" sent to the OS would need to differ once Safari has been hacked.

      That's maybe also a small (but cumulative) reason why less even tried to hack chrome & FF. They could be on any OS, while Safari & IE only have the one OS to worry about.

      But this really opens the flood gates for those IPhans: 2 weeks of hacking to crack Safari (which is supposed to be secure because of the "hidden" nature of the program's workings - the hacker even mentioned: "In (OS X) there is not even shell code available on the internet."), but IE took a whole: "about six weeks of full-time research to find the bugs and write working exploits for them."

      ... SO! ... even with more info available to the hacker it took him 3 times longer to actually get it hacked!

      1. justkyle

        What self-respecting hacker

        Hasn't heard of

        Isn't that the code base that Safari is derived from?

        Methinks the hacker doesn't know much about them thar interwebs

    3. irneb

      RE: So what does this mean for the iPhone?!?

      Oh, and there was me thinking that Opera had a chance on iPhone. Or was that only on iPad? Or did Stevie have some other mind-altering-drug and throw them out again?

      1. zanto

        it's called conditioning

        iphone users are conditioned not to know any other browser but those authorized by his magnificence.

    4. justkyle

      Alternative iOS browsers...

      DO exist, even within Apple's Walled garden.

      Opera, and Snowbunny browsers. Opera does work better. Both are free. Both in iTunes store.

      The real question is whether or not WebKit is susceptible.

      Everybody really knows, text mode browsing is the only way to go.

      Lynx for the Wind!

      1. zanto


        shirley you mean elinks?

        tabbed browsing, scroll wheel support (yeah yeah, even for a text browser), ssh support, better formatting. plus all the usual goodies that lynx offers like tying into mutt to display html mail etc.

        maybe lynx also supports some of the above, but it didn't when i made the switch many a fortnight ago.

        unless, i am a complete dodo and you are referring to browsers only available in ios.

        beer cos it's friday and you deserve one for mentioning lynx.

  15. David Lawrence

    Pedant alert....

    Sorry but the author of this artical does not seem to know the difference between 'principal' and 'principle'. They wrote....

    "Steven Fewer, an independent security researcher and principle of security consultancy Harmony Security...."

    I suspect that Mr Fewer is actually a principal of said consultancy.

    Sorry just working here to protect the beauty of our language like what she is wrote.

    1. DZ-Jay

      Re: Pedant alert...

      Sorry, but you do not seem to know the difference between "article" and "artical." You wrote...

      "Sorry but the author of this artical does not seem to know the difference between..."

      In case you weren't aware, "artical" is not a word.

      Sorry, just working here to protect the beauty of your language (it's my second).


      1. Marky W
        Thumb Up

        Heh. Pwned.

        Appropriately enough.

      2. Ken Hagan Gold badge

        Re: Re: Pedant alert

        Mr Lawrence will no doubt tell, but i'd have thought it was pretty unlikely that someone who knows the distinction between principle and principal doesn't also know how to spell article, so the "artical" is probably just a joke that you didn't get.

  16. Nick Galloway

    Symbian - Nokia?

    I know Nokia has signed up with the boys of Redmond but has it suddenly become so irrelevant that it no longer rates in a hack fest?

    Sounds like discrimination. Either that or Symbian is bullet proof!!

  17. KroSha

    OSX Privilege

    “We have the same privileges as the user who visited the webpage.”

    And that's the rub.

    If the victim is logged in as an Admin then they get access to most of the Mac, except the System folder, hence why this is a bad idea. If they are logged in as a "normal" User, they can only play in their own Home folder. Limited Users have even less access and Guests have almost none. Very unlikely that they'd be logged in as root.

    I still say that OSX should require that every Mac has a minimum of 1 Admin and 1 other type of user and that it makes a point of instructing people to only use the Admin account when necessary.

    1. EyeCU

      Is the OS that important?

      It depends on what is more important to you. I couldn't care less if I lose my OS as it is easy enough to reinstall. My data on the other hand, which would be accessible as the hacker has the same permissions as me is a totally different story. I would say it is far worse to give them access to your personal files as you don't know what would happen after that. How many people (myself included) have enough in there to give an identity thief an easy ride? CVs, letters to family, saved emails, rude pictures of the girlfriend etc.

  18. Anonymous Coward
    Anonymous Coward


    You're holding it wrong.

    1. Anonymous Coward

      you forgot

      the "sent from my iphone" signature

  19. two00lbwaster

    Mac hack

    So, you now have access to the system through an account; next hack run is privilege escalation exploit.

    Once you're in the system remotely you're in the system, regardless of the account you happen to have wheedled your way into.

    Doesn't matter what system you're attacking, the exploit methodology is the same; get into the system, escalate privileges, control system.

  20. Ken Hagan Gold badge


    A couple of quotes in the article stood out.

    "...proving for a fifth year in a row that no software or application is safe from people with the expertise and motivation to exploit them."

    They've proven nothing of the sort. They've proven that certain applications are vulnerable. I assume from the lack of coverage that (as in previous years) they didn't even bother to run the "crack a bare OS" contest because no-one can actually do it anymore.

    " “Every browser, every operating system, has its own vulnerabilities,” said Chaouki Bekrar, CEO of Vupen Security"

    Again, a massive and inaccurate generalisation from a handful of actual data points. If these idiots can't even secure their own mouths against sewage outflows, why should we trust their advice on OS security?

  21. Anonymous Coward
    Anonymous Coward

    Safety in Opera

    As mentioned by a couple earlier, it should be clear, if you really want security while browsing, use Opera.

    While I'm certain it's exploitable, it's had a strong record of minimal vulnerabilities, but also Opera's time-to-patch is very fast. Their 15-yr history of browser design expertise on the desktop and 3000 different handset models, is quite impressive.

    1. BorkedAgain

      Shame it doesn't render properly...

      Ah well, can't have everything...

  22. two00lbwaster

    Day two

    No takers for Firefox so it stands alongside Chrome this year as not having been hacked.

This topic is closed for new posts.

Other stories you might like