10 Second Safari Crack Exposed

March 27, 2009

apple-safariOuch. It took Baltimore security researcher Charlie Miller 10 seconds to hack & gain control of a fully patched MacBook using a pre-written exploit during the PWN2OWN hacking contest at this years CanSecWest Conference in Vancouver. He loaded the exploit into a web URL which was clicked by a user, imitating a common tactic of infecting users with malware at malicious sites (Windows users, you know what we’re talking about…).

The whole process was part of a competition held every year at CanSecWest. Miller won $5k & the MacBook he hacked. Rights for the exploit were sold to TippingPoint, CanSecWest’s sponsor, and Apple was notified of the exploit. Not bad for 10 seconds work…

I’m not trying to be alarmist, but it strikes me that we might be starting to see a a pattern forming here. It seems that Apple’s much-vaunted ‘virus-free’ bragging rights are eroding slowly but surely. And as their market share increases, these kinds of sightings are going to occur more & more frequently.

& while I’m certainly hesitant to tell everyone to run out & buy anti-virus for their macs, it certainly wouldn’t hurt to review some security best-practices for the internet, so…

  1. If you’re unsure about the source of a link, DON’T CLICK IT.
    • Just because a flashing icon/window begs you to click it, doesn’t mean you should (in fact, a flashing window should be a pretty good indicator that this ISN’T a link you should be clicking!!!).
  2. Enable Pop-Up Blockers.
    • Bit of a pain, sometimes, I know. But they typically do more good than harm.
  3. Unless there’s a good reason to, keep you’re browsers security settings enabled.
    • That includes warnings for suspected phishing, forgery, attack sites, & others.
  4. [Safari] Disable the “Open ‘Safe’ files after downloading” open in the Preferences.
    • Don’t let a web browser tell you if a file is safe. Again, if you’re unsure about the source, don’t open it (or at least scan it first!).
  5. Be careful when you’re downloading torrents or file from peer-to-peer applications – traditionally these are some of the biggest sources of infection for malware and viruses.
  6. Don’t use Internet Explorer. If the above Charlie Miller incident teaches us anything, we probably shouldn’t use Safari, either.
    • Firefox is a good choice, Opera is another – both are free.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: