Pwn2Own — an annual computer-security contest in which researchers vie to win cash prizes and computer hardware by exploiting Web browsers — ended last week, and the results may surprise you.
The first browser to get hacked was Apple’s Safari. As Ars Technica’s Peter Bright wrote on Thursday, the almost-current 5.0.3. version of Safari, running on an up-to-date copy of Mac OS X 10.6.6, succumbed to a malicious page written by researchers with VUPEN, a French security firm, in a few seconds.
They proved the attack by remotely launching the Mac’s Calculator program and writing a file to the MacBook Air’s flash drive — earning them the right to keep the laptop, as per the contest’s rules.
Microsoft’s Internet Explorer 8, running on Windows 7 updated with Service Pack 1, fell later that day. Bright’s report notes that the IE 8 hack involved more exploits and took five to six weeks to construct, against two for the Safari exploit.
On the second day of Pwn2Own (organized by HP’s Austin-based TippingPoint DVLabs subsidiary and held at the CanSecWest conference in Vancouver every year), the iPhone 4 and a BlackBerry Torch smartphone also suffered successful hacks. Although the iPhone 4 was not running Apple’s just-released iOS 4.3 — the contest rules only required that the target device be running software current as of the week before — the vulnerability exploited in the attack exists in 4.3, too.
Over both days, nobody even tried to challenge Google’s Chrome (even though Google offered a separate cash award to anybody who could hack Chrome), Mozilla Firefox, a Nexus S smartphone running Google’s Android 2.3 operating system or a Dell Venue Pro with Microsoft’s Windows Phone 7.
(Google shipped the first patch for a bug exploited at Pwn2Own, Computerworld’s Gregg Keizer wrote this morning.)
There’s not much interpretation needed for these results, right? Apple’s Mac OS X is a dangerously insecure platform — it’s been successfully hacked at Pwn2Own every year since its debut in 2007 — that should be avoided if you don’t want your computer to get taken over by a drive-by download.
Except ... that’s not the actual experience of using a Mac. Or an iPhone. Both Apple’s computer and phone operating systems remain almost completely free of viruses, worms and trojans, even as Apple’s market share has grown dramatically in both markets.
For example, Apple now claims 20 percent of the U.S. consumer market, a number that would have been unthinkably high only 10 years ago. The iPhone’s iOS constitutes 27 percent of the U.S. smartphone market, tied with Research In Motion’s BlackBerry phones and just behind Google’s Android, according to the latest Nielsen research.
Should even 20 percent of the market be enough to attract the interest of malware authors? I asked that on Twitter and got an interesting response from ZDNet’s veteran Windows blogger Ed Bott. He answered that “malware authors play a global numbers game. OS X has ~6% worldwide.”
But if current trends continue, it might not be long before the Mac hits 10 percent of the total market. Will that be enough? Or will malware continue to be a market in which marginalized Mac users face a dramatically inferior selection of third-party software compared to what runs on Windows?
One of Apple’s latest security moves suggests it has one idea of where things are heading: For the first time in recent history, it’s sharing advance copies of its upcoming Mac OS X Lion operating system with security researchers . What’s your forecast for Mac malware? Let me know in the comments.