Apple’s Safari browser may be fast and the preferred choice of many, but hackers continually show off just how vulnerable it is. This week, a French hacker pwned the brand-new Safari 5.0.4 in only five seconds -- taking home a $15,000 prize as well as a new MacBook Air.
9to5Mac is reporting that the CanSecWest security conference in Vancouver, British Columbia was the scene of the latest Safari browser hacking. While one security expert broke into a MacBook Air in only two minutes through Safari back in 2008, this week’s event has to be a new record, with the latest Safari 5.0.4 pwned in a mere five seconds.
Ironically, only a few minutes before the contest kicked off on Wednesday, Apple unleashed the Safari 5.0.4 update, which French security firm Vupen claims patched 62 known vulnerabilities in the browser -- but clearly not all of them, as the firm won the $15,000 grand prize in addition to a MacBook Air for cracking Apple’s browser at the event.
Don’t feel too sorry for Apple, though -- Microsoft’s Internet Explorer 8 also got pwned with relative ease. “The contest rules required that browsers be frozen to certain version numbers -- Safari 5.0.3, Chrome 9, Internet Explorer 8 and Firefox 3.6 -- although that didn’t preclude researchers from trying to hack the latest browser releases,” 9to5Mac reports, which was the case on Wednesday.
Looks like Apple will have to go back to the drawing board for a Safari 5.0.5 release in the near future, at least to patch the vulnerability exposed by Vupen at this particular security conference.
Follow this article’s author, J.R. Bookwalter on Twitter
(Image courtesy of 9to5Mac)
MadMan459
March 10, 2011 at 11:27am
Yeah I'd like to know more about the test as well. Unfortunately neither you nor 9to5 Mac bothered to get any of the specs. You both mention that Apple released the 5.0.4 update just prior to the test, but according to the rules, the browser version was supposed to be frozen at 5.0.3. I doubt they actually ran the update before the contest.
The tweet from @vupen was:
"We pwned Apple Safari on Mac OS X (x64) at pwn2own in 5 seconds. Congrats to all VUPEN team members for their hard work! Thanks all!"No mention of the version number. No mention of how. If it required the Safari user to enter an admin password (or if they were provided with the admin password of the Mac being hacked) then it is a #FAIL and a fraud.
And really... pwned? I know that's the term they use but come on.
mrcrilly
March 10, 2011 at 9:00am
It wasn't "pwned" in five seconds. The browser was exploited within five seconds after the malicious website was visited, but the exploit took two weeks to develop, with a team of THREE researchers.
I think your article inspires fear into people, which is wrong in my eyes.
