Wednesday, 23 March 2011

iOS and MACos destroyed (again) at Pwn2Own security conference

    The Pwn2Own event, held at the CanSecWest security conference in Vancouver, allows companies to challenge hackers to exploit their software, i.e. operating systems or web browsers.

iOS
    Charlie Miller and Dion Blazakis have managed to yet again hack iOS thanks to a security hole in the mobile version of Safari. They managed to access the contacts and inbox of an iPhone 4 (iOS 4.2.1) by simply loading a web page.
    The vulnerability isn't patched in iOS 4.3 and it looks like ASLR (Address Space Layout Randomization) won't be able to protect you from this one.

MACos
    This year French pen-testing firm VUPEN has hacked Apple’s Safari web browser using a zero-day flaw to win the coveted Pwn2Own hacker challenge.
    The exploited computer was a fully patched MacBook running Mac OS X (64-bit). Co-founder of VUPEN, Chaouki Beckar, lured the Mac to a fake website and managed to bypass the ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) execution procedures that were built into the OS. He then launched a calculator app successfully and wrote files to the machine.
    It's a known fact that MAC is the most insecure operating system, manly thanks to Apple's only MACos selling point, the "security" but also due to the fact that the users are just too stupid to see past Apple's decietful advertising. If that particlular MAC had an antivirus with heuristics installed, VUPEN would never have been able to write anything to the system without being detected. So do yourself a favor, pick an antivirus and buy it!

Via: Pwn2Own