Staying safe while on Safari, IE, Firefox

For those who still believe that their favorite browser (in this case Safari, but ultimately it could be any browser) is still safe in a sea of network attacks, think again. At the 2009 Pwn2Own competition, Charlie Miller was able to compromise a Safari browser in a matter of seconds. Firefox and IE8 were also no match for a hacker called "Nils" (who also took 2nd place against Safari).

For the more paranoid among you, now would be a good time to look at segregating your sensitive data off of your regular machine, or to start running browsers in virtualized environments (either full VMs or application virtualization).

Src: Pwn2Own 2009: Macbook falls in seconds | Zero Day | ZDNet.com
Src: Updated story about IE8 | Zero Day | ZDNet.com [tx @RyanNaraine]

2 comments:

wishi said...

My reaction is to use sandbox-exec with a policy:
http://wishinet.blogspot.com/2009/03/applying-sandbox-exec-around-safari.html

I guess that works well enough... even if a Webkit-based exploit compromised by PC and gains root, there's no chance to circumvent this. Nevertheless there're other options to do so - but I don't know them.

Michael Janke said...

My mantra (or guiding principle) for a while has been 'If it can surf the internet, it cannot be secured'.

It's probably still a valid principle.