Pwned! Safari 5.0.4 Hacked Using MacBook Air in Five Seconds Flat
Apple’s Safari browser may be fast and the preferred choice of many, but hackers continually show off just how vulnerable it is. This week, a French hacker pwned the brand-new Safari 5.0.4 in only five seconds -- taking home a $15,000 prize as well as a new MacBook Air.
9to5Mac is reporting that the CanSecWest security conference in Vancouver, British Columbia was the scene of the latest Safari browser hacking. While one security expert broke into a MacBook Air in only two minutes through Safari back in 2008, this week’s event has to be a new record, with the latest Safari 5.0.4 pwned in a mere five seconds.
Ironically, only a few minutes before the contest kicked off on Wednesday, Apple unleashed the Safari 5.0.4 update, which French security firm Vupen claims patched 62 known vulnerabilities in the browser -- but clearly not all of them, as the firm won the $15,000 grand prize in addition to a MacBook Air for cracking Apple’s browser at the event.
Don’t feel too sorry for Apple, though -- Microsoft’s Internet Explorer 8 also got pwned with relative ease. “The contest rules required that browsers be frozen to certain version numbers -- Safari 5.0.3, Chrome 9, Internet Explorer 8 and Firefox 3.6 -- although that didn’t preclude researchers from trying to hack the latest browser releases,” 9to5Mac reports, which was the case on Wednesday.
Looks like Apple will have to go back to the drawing board for a Safari 5.0.5 release in the near future, at least to patch the vulnerability exposed by Vupen at this particular security conference.
Follow this article’s author, J.R. Bookwalter on Twitter
(Image courtesy of 9to5Mac)
Related Articles
MadMan459
March 10, 2011 at 11:27am
Yeah I'd like to know more about the test as well. Unfortunately neither you nor 9to5 Mac bothered to get any of the specs. You both mention that Apple released the 5.0.4 update just prior to the test, but according to the rules, the browser version was supposed to be frozen at 5.0.3. I doubt they actually ran the update before the contest.
The tweet from @vupen was:
"We pwned Apple Safari on Mac OS X (x64) at pwn2own in 5 seconds. Congrats to all VUPEN team members for their hard work! Thanks all!"No mention of the version number. No mention of how. If it required the Safari user to enter an admin password (or if they were provided with the admin password of the Mac being hacked) then it is a #FAIL and a fraud.
And really... pwned? I know that's the term they use but come on.
mrcrilly
March 10, 2011 at 9:00am
It wasn't "pwned" in five seconds. The browser was exploited within five seconds after the malicious website was visited, but the exploit took two weeks to develop, with a team of THREE researchers.
I think your article inspires fear into people, which is wrong in my eyes.
Connect with Mac|Life
Featured Content
10 television shows that feature our favorite Apple products.
Keep in mind that iTunes and Amazon will sell you entire seasons, which last longer...
Whether it's learning how to use the application or importing third-party calendars...
In This Month's Issue
Feature
Review
Create
Latest Mac|Life Tweets
- MacLife: Review: Sonic the Hedgehog 4 Episode II, universal for iPhone and iPad. So frustrating! http://t.co/UwBjm1Qx1 day 4 hours ago
- MacLife: Lights, Camera, Apple! So many Macs, iPhones, and iPads on TV. http://t.co/JPJ7fBVK1 day 4 hours ago
- MacLife: In this week's Law & Apple, Samsung's bizarre "anti-fanboy" defense, and Apple has a tough time in Delaware. http://t.co/oVwi51Yp1 day 5 hours ago
- MacLife: Mint's iOS app added budgeting and split transactions. Do you track your finances on an iPhone/iPad? http://t.co/c4AgVI4w1 day 5 hours ago
- MacLife: IBM blocks Siri, iCloud, and Drobpox on its employees' iPhones. Drag. But understandable too, right? http://t.co/ojuiYxiS1 day 6 hours ago
