Apple's Safari to fall first in hacking contest ... again
Pwn2Own organizer predicts Safari will go under first, but potential 'three-peat' researcher not so sure
Computerworld - Apple's Safari will be the first browser to fall next month at the Pwn2Own hacking challenge, the contest organizer predicted today.
A researcher who has won at Pwn2Own the last two years wasn't so sure.
"Safari will be the first to go," said Aaron Portnoy, security research team lead with 3Com TippingPoint, the sponsor of Pwn2Own. Portnoy is the organizer of the contest. "[Safari will] be on Snow Leopard, which isn't on the same level as Windows 7," he added as he predicted Apple's browser would crumble when the action starts March 24.
Now in its fourth year, Pwn2Own has made headlines for hacks of Apple's Mac OS X and Safari, as well as Microsoft's Windows and that company's Internet Explorer (IE) browser. In 2009, for example, researcher Charlie Miller hijacked a Mac in less than five seconds through Safari to win $5,000, while a German student knocked down three browsers on Windows to walk off with $15,000.
Miller, who works as a principal analyst at Independent Security Evaluators, a security consulting firm, plans to again compete at Pwn2Own and hopes to "three-peat" as a contest winner. In 2008, Miller won $10,000 by hacking a MacBook Air in under two minutes, again by exploiting a Safari bug.
But he's not as certain as Portnoy that Apple's browser will tumble first. "Unlike previous years, I'd say Safari isn't significantly easier than the browsers on Windows," Miller said today in an e-mail reply to questions about his Pwn2Own plans and predictions. "I say this because Snow Leopard finally has DEP [Data Execution Prevention]. Also, because at Black Hat DC, Dion Blazakis showed how to defeat DEP in [Windows] browsers. The only difference is that Safari has a bigger attack surface, and includes, for example a PDF reader (Preview) and Flash."
Miller's bottom line? "I'll predict that two to three browsers will go down, including Safari for the fourth straight year," he said.
Last year, Firefox, IE and Safari all fell to attack; only Google's Chrome went unscathed.
The first day of Pwn2Own's browser challenge this year will pit researchers against the latest versions of Chrome, Firefox and Internet Explorer 8 (IE) on Windows 7, and Safari on Mac OS X 10.6, aka Snow Leopard. The operating systems will have their attack defenses configured to their default settings.
If a browser goes down on day 1, its attacker will be awarded $10,000 -- double last year's reward -- and the notebook it was running on. Once hacked, a browser is removed from competition. Untouched browsers continue into day two, when Chrome, Firefox and IE7 -- the 2006 predecessor to the newer IE8 -- are installed on laptops running the older Windows Vista. Any browser that survives to the third day is installed on Windows XP. (Safari remains on Snow Leopard throughout.)
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Who's afraid of the big (data) bad wolf? Survive the big data storm by getting ahead of integration and governance functional requirements This paper provides a detailed review of the best practices clients should consider before embarking on their big data integration projects.
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Cybercrime and Hacking White Papers | Webcasts