Stephen Withers
Monday, 23 March 2009 11:04
Opinion and Analysis
Page 1 of 5
Much has been made about the supposed speed with which a Mac running Safari was pwned in the PWN2OWN competition at last week's CanSecWest security conference. But it turns out that the crack was over a year in the making.
Charlie Miller's sub-10 second crack exploiting security issues with Safari and Mac OS X itself was bound to draw attention.
As iTWire's
Davey Winder pointed out, the apparent speed was neither here nor there. How long do you think it takes for an exploit delivered through a web page to do its stuff?
Nor was there any significance in the fact that Safari on Mac OS X was the first to fall. The order was determined by pulling entrants' names out of a hat. Miller was the first up, so it was only blind luck that stopped Internet Explorer and Windows from being the first to be pwned.
Firefox also went down in the first round of the competition.
But it's now come out that Miller discovered the Safari flaw that won him a MacBook and $5000 while he was preparing for last year's contest, which he also won.
Since there's only one major prize per platform, Miller kept the second bug up his sleeve.
"Last year, you could only win once so I saved the second bug," he told
Kaspersky's Ryan Naraine. "Turns out, it was still there this year so I wrote another exploit and used it this year."
Is criticism of Miller justified? Please
read on.
