Safari Falls in Pwn2Own Contest Despite Update

| News

Even though Apple released a major security update for Safari, contestants participating the Pwn2Own event at the CanSecWest security conference managed to hack into the Web browser in short order. A team sponsored by the French security company Vupen won the MacBook Air they hacked along with US$15,000 for their efforts, according to Computerworld.

Safari Web BrowserSafari fell fast in Pwn2Own

The security update Apple released ahead of the hacking contest patched some 64 potential security flaws, but missed the one exploited by the Vupen team. That turned out to be good news for the team because they were attacking Safari 5.0.3, but if their exploit had been patched with the just released 5.0.4 update they wouldn’t have won the prize.

Peter Vreugdenhil from HP TippingPoint, the security firm that sponsors the contest, said they always locks in the browser versions they use ahead of the event, but take into account later updates that are released before the teams go hands-on at ConSecWest. “Exploit development does sometimes rely on certain versions and that is the reason we have frozen the devices,” he said.

Microsoft’s Internet Explorer quickly fell to its first hacking attempt, although Google’s Chrome Web browser is still holding up.

Popular TMO Stories


Dean Lewis

Maybe the headline could be changed from “despite” to “before” the update? smile

Michael Ackerman

check out the article below for more details about safari’s fall in the pwn2own contest


I agree with you there Dean.  Too many issues, cant keep up with the FF, C, O train.

Lee Dronick

check out the article below for more details about safari?s fall in the pwn2own contest

I didn’t see many details in that story.


What happened to “It just works.”?


Obvious troll is obvious.


It seems to me that the headline is right but there is some mixup in the story. Read this one instead:


It’s not fair to say that Google’s Chrome is still holding up. From what I read that’s because no one is trying. From a story:

Although Google offered an additional $20,000 to any team or individual who could successfully crack Chrome, no one took up the challenge. Engadget reported that the two takers, Team Anon and an individual, were busy elsewhere and pulled a no show.


Really, can the headline be fixed? They used the pre-patched version locked in two weeks ago.

Bosco (Brad Hutchings)

What do you mean it’s not fair? There is $40K worth of incentive for anyone with a known exploit to come forward. If they locked the browser versions in today and held the contest in two weeks, the results would probably be the same.

To exploit Chrome, you have to do double the work. Your exploit has to crash the process that handles the page in a way that crashes the browser process itself. It baffles me that when Google announced that was how they were going to make Flash safer that every other browser vendor didn’t make sandboxing the toppest of priorities. These threats are very real, not difficult to deploy, and can yield a huge payout.


Slashdot had an interesting thread with more detail about the contest I didn’t know. Good article on ArsTechnica too.
here is a sampling of the commentary about it I didn’t know:

“It’s called “Pwn2Own”: the hackers win the machines they hack.”
“The researchers clearly invested more time and money than the price of the machine they can get for “free”. It took about 6-person weeks to develop the exploit… assuming the researchers could bill at a consulting rate of $250/hour (not unreasonable for a top security consultant) they’ve invested $60,000 in the exploit, add to this travel, opportunity cost at the conference plus other expenses…. if they wanted a Mac, buying it would have been way cheaper.
It’s a little bit about prestige…and anyway the security consultants can earn more working on the PCs…because everyone knows that Macs are more secure….and there is almost no corporate market for Mac security.?it sounds like they had one machine open for hacking at a time. First the Mac, then the Windows / IE machine. Then the Chrome / Windows machine, which no one tried to attack “
“The whole “which fell first” thing makes a huge assumption that simply isn’t true. The assumption that all hardware/software combinations are available at the same time to all participants.
For example, whilst Safari and IE fell on day one, Firefox isn’t scheduled to be available to anyone to try to hack till day two. Thus you can’t say Safari is somehow less than Firefox.
Likewise you can’t say that Safari is less than IE. It may well be that the person with a working exploit for Safari got a time slot to try it before the person with a working exploit for IE. After all, it’s not as if they are actually finding the exploits at the competition. They’re exploits they’ve spent weeks preparing.”
“Actually the reason Safari went down first was because it was the first target. Followed by IE8 which also went down. The researcher who was going to go after Chrome never showed up and Firefox is next in line?”
Vulnerability was in webkit, not Safari specifically. Chrome may have been vulnerable to it as well.
“The specific bug that was exploited in this case is in WebKit, so it’s a concern for any browser based on it - Apple or not. The purpose of the contest is PR, but does lead to exploits being exposed and patched (albeit held back by the people going for the prizes so they have something to deploy as soon as the contest begins - it took those guys a lot of work to get it to the stage where they could deploy it quickly - they could have disclosed their method some time ago [but the same is true for all the exploits used in this contest, on all of the platforms]).
The attack order of the machines really has little ultimate value in the end - the fact that security holes exist in the first place is the take home message. I hope OS X keeps getting attacked - the more exploits are found, the more get closed off. I am careful with my machine, but I welcome disclosure and patching of bugs.”
“Every year headlines claim platforms “pwned” in seconds but it’s misleading and sensationalist.
The exploits are researched and practiced over days or weeks, rehearsed and simply repeated on the day. Yes it’s bad, yes it demonstrates insecurity but the headlines imply that some guy just sits down at a fresh machine, sight unseen, decides to have a go at hacking it and within seconds it’s done.
Of course the exploits take seconds to run - they are running them on computers - they are fast. I’m sure they get faster every year.”
“So what I take it that the exploit is in WebKit (along with many others). They did mention it was quite hard to build the root kit for x64.
So does this mean it is a cross platform exploit?
Any word on when apple will patch it?”


The title shouldn’t read “Falls…. Despite Update”
The contest was locked into the previous version and the computers were not updated with this newer version.

How about the title of this being: “Pre-update version of Safari Falls due to Open Source WebKit vulnerability; WebKit Browser Chrome untested”.

Bosco (Brad Hutchings)

From the Ars article:

Historically, the competition has required competitors to use the newest version of the browser and operating system. Perhaps aware of this, Apple released Safari 5.0.4 a day ahead of the competition, patching some 60 security holes in the browser. However, this year the rules have been altered: the configuration was frozen a week ago, hence the competition being run against Safari 5.0.3. Under the new rules, pwning (and hence owning) only needs to succeed on the frozen version. However, to receive prize money (in addition to the hardware), the flaw must also exist in the newest release.

In VUPEN’s case, the team will be winning both the hardware and the money. In spite of Apple’s last-minute patch, their attack still works.

Lee Dronick

imply that some guy just sits down at a fresh machine, sight unseen, decides to have a go at hacking it and within seconds it?s done.

Only in the movies. Of course the blogosphere is having a field day with the misinformation and I am surprised that we haven’t had more trolls commenting; Maybe this weekend.

So what is the current security situation with Safari and webkit? Do we really have to worry about it, or is it a lot of FUD?


I read somewhere that the 5.0.4 fixes the issue, but I can’t remember where I read it or if it is at all accurate. Perhaps the patch enables the sandboxing that Chrome has. I will continue to poke around.

So far it seems that chrome has vulnerabilities as well, but nobody has yet been able to utilize them because of the sandboxing. Open source WebKit is the culprit. I wonder if Apple issued updates to WebKit? Regardless this years vulnerability will be patched. I hope they implement sandboxing soon.

Perhaps this is why it has remained unchallenged for the past 2 years?

Opera hasn’t been tested either as I understand it.


However, to receive prize money (in addition to the hardware), the flaw must also exist in the newest release.
I wonder if this applies to releases that happen the day of the competition? That would seem kind of unfair to contestants.


Multiple webkit vulnerabilities were patched.

I can’t speak to the specifics of the WebKit hack in the contest however. By rule the exploit used in the contest cannot be published until Apple has patched it.

It would make sense to me that they would have alerted Apple of the exploit so Apple could patch it already, especially if the browser version of the contest was already locked down. Part of the purpose of the contest is for developers to tap into those who can reveal their security issues before they become publicly known.

They have been working on this exploit for more than 2 weeks and had to write an entirely new set of tools and attack code not previously used. Pretty cool stuff.


Perhaps Jeff would like to rewrite the article so it’s not quite so confusing to read… it leaves one under the impression that they beat it using only the 5.0.3 version of Safarai and that they never went up against the 5.0.4 version. However Bosco cited a source that indicated that they went against the 5.0.3 beat it and then went up against the 5.0.4 version and beat it with the same vulnerability exploit that worked on 5.0.3.


This makes me wish that Safari would follow Chrome’s approach of having a separate, sandboxed process for each browser tab or window.

Mac OS X has sandboxing support in the OS, but as far as I know Safari only uses it for plug-ins, not for the browser itself, and browser tabs/windows are not isolated from each other.

With enough bad publicity like this, perhaps Apple will make some positive changes on the browser security front.

If I were on the Safari team I’d be fearing a call from Steve. “So, why aren’t you guys as smart as the Chrome guys at Google? And why are they making better use of the features that we put into OS X a couple YEARS ago?”


Yeah, Steve and Bertrand (Serlet), why isn’t Safari more secure?

So that it just works? Safely?

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account