Thursday, March 19, 2009

Safari hole exploited in seconds at security conference

From C-Net:

The security expert who won $10,000 hacking a MacBook Air in less than two minutes last year won $5,000 on Wednesday by exploiting a hole in Safari in 10 seconds or so. Charlie Miller, principal security analyst at Independent Security Evaluators, used a MacBook running the latest version of the Mac OS as part of a contest at the CanSecWest security conference called "Pwn2Own," which is hacker slang for gaining control of a computer.


My advice - Get Firefox

1 comment:

Hope said...

First of all, can I just say that I am sincerely surprised to find out that they have contests for hackers, especially with prizes like those! On second thought, however, I guess it really shouldn't surprise me--as we talked about in class (or maybe read about? I can't remember which), program writers who share their work catch the holes and security leaks in their designs much earlier and more effectively than those who don't. So, for a company concerned about the security of their products, or just people concerned about the security of popular products out there, participating in a contest like this is a reasonably clever (and apparently less costly) way to catch and then fix security holes.

It also surprises me that Mac, in particular, wouldn't have a better internet service provider, considering that (from what I've heard) the rest of their systems are much better designed and secure, than, say, Windows Vista. Ten seconds, after all, seems awfully fast, even if Miller did know about the hole beforehand. Which brings me to my next point—Miller says he found out about the hole last year! Why in the world did he only bring it to everyone’s attention now? I understand the financial gain and prestige in saving for a contest like this, but surely companies like Mac offer rewards or something for people who discover security holes? If not, somebody should get on that.