homepage Welcome to WebmasterWorld Guest from 54.196.77.82
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
Hackers hack, Firefox, Safari, IE and iPhone
Report of hacker conventon...
tangor




msg:4104221
 5:02 am on Mar 25, 2010 (gmt 0)

CanSecWest It was another grim day for internet security at the annual Pwn2Own hacker contest Wednesday, with Microsoft's Internet Explorer, Mozilla's Firefox and Apple's Safari and iPhone succumbing to exploits that allowed them to be remotely commandeered.

Like dominoes falling in rapid succession, the platforms were felled in the fourth year of the contest, which has come to underscore the alarming insecurity of most internet-facing software. To qualify for the big-money prizes, the exploits had to attack previously undocumented vulnerabilities to expose sensitive system data or allow the remote execution of malicious code.

The exploits were all the more impressive because they bypassed state-of-the-art security mitigations the software makers have spent years implementing in an attempt to harden their wares. That included DEP, or data execution prevention, and ASLR, or address space layout randomization and in the case of the iPhone, code signing to prevent unauthorized applications from running on the device.

As reported at The Register: [theregister.co.uk...]

Rather in depth report.

 

ergophobe




msg:4104536
 4:39 pm on Mar 25, 2010 (gmt 0)

>>It was another grim day for internet security

I would call that a great day. Scary, but it's always better to have the good guys find the exploits first. Now only if vendors can fix them.

J_RaD




msg:4105135
 12:43 pm on Mar 26, 2010 (gmt 0)

its really no suprise, if someone is determined enough any platfrom will fall no matter how secure it is touted to be.

jatar_k




msg:4105142
 12:47 pm on Mar 26, 2010 (gmt 0)

this is awesome
The iPhone's code signing mechanism requires code loaded into memory to carry a valid digital signature before it can be executed. To get around it, the researchers used a technique known as return-oriented programming, which takes pieces of valid code and rearranges them to form the malicious payload.


hadn't heard of that before, mind blowing concept, great article. I like the fella arriving at the conf with 20 working hacks for safari. It sounds like Apple got it the worst.

drhowarddrfine




msg:4105171
 1:40 pm on Mar 26, 2010 (gmt 0)

What a lot of people don't realize is these people work on such things as full time jobs. Also, some of these cracks are carried over from years past. For example, the guy who won that you all heard about cracked Safari(?) in 2 minutes or something, he used a crack he discovered the year before. That's the only reason he was able to accomplish it so fast.

Demaestro




msg:4105193
 2:25 pm on Mar 26, 2010 (gmt 0)

Yes it is scary that this can be done so easily but keep in mind they were able to do it only by clicking a link to a site with the malicious code.

With link checkers and emails blocking links, and people becoming more aware of bad links, it is harder and harder to get people to click a bad link, but obviously it happens.

Safari on a mac goes down the quickest every year.

drhowarddrfine




msg:4105221
 3:00 pm on Mar 26, 2010 (gmt 0)

Like I said, it is neither easy nor as quick as it seems.

Hugene




msg:4105228
 3:18 pm on Mar 26, 2010 (gmt 0)

It sounds like Apple got it the worst


The real reason people around me switched to Apple was the safety from viruses.

When that goes (not if, but when), Apple will become just another M$.

UserFriendly




msg:4105233
 3:27 pm on Mar 26, 2010 (gmt 0)

This is why I run NoScript and RequestPolicy (in Firefox), even though it clearly upsets webmasters who rely on advertising, as discussed in this WW thread:

[webmasterworld.com...]

The fact is, browsers are overloaded with hooks and functionality that is of no use most of the time, but which is begging to be abused by crackers.

I don't run the anti-functionality software to banish ads. (I don't even see the ads anymore.) I run it to make it that little bit harder for black hats to crack my system.

drhowarddrfine




msg:4105317
 5:26 pm on Mar 26, 2010 (gmt 0)

When that goes (not if, but when), Apple will become just another M$.
You presume too much.
Demaestro




msg:4105346
 6:09 pm on Mar 26, 2010 (gmt 0)

The real reason people around me switched to Apple was the safety from viruses.

When that goes (not if, but when), Apple will become just another M$.


Macs are just as vulnerable as Windows PCs, it only seems like Windows is more vulnerable because most exploits on the web are written for windows systems... The reason for this is the market share of people online using windows.

If you are a hacker and you are writing an exploit would you write it for 20% of web surfers or would you write it for 70% of web surfers?

Obviously the intent of an exploit is to infect as many machines as possible so it only makes sense that you would target the largest group.

If Apple enjoyed the same market share as Windows they would endure the same amount of exploits targeting them.

drhowarddrfine




msg:4105354
 6:20 pm on Mar 26, 2010 (gmt 0)

If Apple enjoyed the same market share as Windows they would endure the same amount of exploits targeting them.

According to the book "The Success of Open Source" written by Stanford and published by Harvard, that's not true.

In any case, the presumption is that the underlying operating system is equally vulnerable which is definitely not true.

And since IE is the most used browser on Windows and also the most vulnerable, this also detracts from that statement.

J_RaD




msg:4105357
 6:25 pm on Mar 26, 2010 (gmt 0)


The real reason people around me switched to Apple was the safety from viruses.

When that goes (not if, but when), Apple will become just another M$.

the only safety you have from viruses is the lack of time going into the small marketing share OS. So its a false sense of security. Just like we see here, safari isn't actually more secure.

And the amount of time that goes into breaking into windows and viruses MS is actually doing a pretty good job if keeping its OS secure.

It makes me laugh to here people say they switched from windows to mac cause of viruses. Use comment sense and protection and you don't have an issue with viruses.

weeks




msg:4105367
 6:41 pm on Mar 26, 2010 (gmt 0)

Use comment sense and protection and you don't have an issue with viruses.


I think I see a problem.

drhowarddrfine




msg:4105442
 9:28 pm on Mar 26, 2010 (gmt 0)

@J_RaD,
I've got the perfect graph for you but this board doesn't allow links. It would make you do a quick 180 on that thought.

tangor




msg:4105445
 9:40 pm on Mar 26, 2010 (gmt 0)

If the Mac was not vulnerable why would the major virus protection companies write software for the Mac? From a dev company point of view those r&d resources could be better expended elsewhere than creating software for a "non-vulnerable" OS.

Malware is written for the installed market...and at this time that is PC. There are Mac virii out there, and more coming each day... because the malware authors have realized that Mac fanbois have more money and less exposure to their tricks simply because those users aren't used to them... yet!

moTi




msg:4105533
 1:31 am on Mar 27, 2010 (gmt 0)

because the malware authors have realized that Mac fanbois have more money and less exposure to their tricks simply because those users aren't used to them


yap. apple fanboys are a quite homogenous audience. so it makes complete sense to choose them as target group..

The real reason people around me switched to Apple was the safety from viruses.


..plus they seem to be a bit naive and not resistant against malware and viruses because of lack of contact. that could compromise much more systems relatively to the pc world.

Obviously the intent of an exploit is to infect as many machines as possible so it only makes sense that you would target the largest group.


no more. think about the possibilities and the bigger fallout percentage.

tedster




msg:4105578
 3:35 am on Mar 27, 2010 (gmt 0)

That is some scary hacking going on:

The iPhone's code signing mechanism requires code loaded into memory to carry a valid digital signature before it can be executed. To get around it, the researchers used a technique known as return-oriented programming, which takes pieces of valid code and rearranges them to form the malicious payload.

As a result, the hackers were able to create a website that when visited by the Apple smartphone forced it to spill a copy of its SMS database. The file includes a list of contacts as well as complete copies of messages that have been sent and received.

As the hacking contest shows us every year, web facing applications are continuing to be a challenge. Amazing to me that just visiting a website can cause that kind of a data spill!

I recently acquired my first virus in ten years by visiting a maliciously hacked site with a PC version of Opera AND up-to-date anti-virus software. No doubt about it, web facing applications have a tough life.

tangor




msg:4105587
 3:53 am on Mar 27, 2010 (gmt 0)

The article referenced in the OP spoke of web facing applications, not the underlying OS. I'm wondering how secure linux browser versions are. There is a linux Firefox version... perhaps it suffers from the same exploits as the Win and Mac versions.

PC is beginning to work diligently to prevent malware success... Mac is (whether most know it or not) gearing up. Adobe finally woke up to exploits of their web apps... will linux be far behind?

We know the bad guys aren't going to quit. They just migrate to where they have less resistance.

JS_Harris




msg:4105635
 9:10 am on Mar 27, 2010 (gmt 0)

succumbing to exploits that allowed them to be remotely commandeered


That's a joke and a half. Being remotely commandeered is a design feature built in for company and government benefit, you can't blame the hacker for running into some of these back doors.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved