For those who still believe that their favorite browser (in this case Safari, but ultimately it could be any browser) is still safe in a sea of network attacks, think again. At the 2009 Pwn2Own competition, Charlie Miller was able to compromise a Safari browser in a matter of seconds. Firefox and IE8 were also no match for a hacker called "Nils" (who also took 2nd place against Safari).
For the more paranoid among you, now would be a good time to look at segregating your sensitive data off of your regular machine, or to start running browsers in virtualized environments (either full VMs or application virtualization).
Src: Pwn2Own 2009: Macbook falls in seconds | Zero Day | ZDNet.com
Src: Updated story about IE8 | Zero Day | ZDNet.com [tx @RyanNaraine]
2 comments:
My reaction is to use sandbox-exec with a policy:
http://wishinet.blogspot.com/2009/03/applying-sandbox-exec-around-safari.html
I guess that works well enough... even if a Webkit-based exploit compromised by PC and gains root, there's no chance to circumvent this. Nevertheless there're other options to do so - but I don't know them.
My mantra (or guiding principle) for a while has been 'If it can surf the internet, it cannot be secured'.
It's probably still a valid principle.
Post a Comment