Hacker News new | past | comments | ask | show | jobs | submit login

Safari wasn't.

Also, nobody compromised Safari at Pwn2own last year.




probably bc they are saving those safari bug bounty's for iOS: https://twitter.com/i0n1c/status/309585202810867712

i highly doubt it was because no one could pwn safari.


Interesting perspective.

Charlie Miller teased about it and a conversation involving i0n1c ensued:

https://twitter.com/0xcharlie/status/310018569058525184


This may be the cynic in me, but I feel that's because exploits fetch quite a sum in the black market these days.


If so, why would somebody spend months working on a IE10 exploit (http://threatpost.com/en_us/blogs/pwn2own-browser-exploits-g...) and then demo that here instead of selling it in the market?

If the market pays lots of money for Mac OS X exploits, why would it pay less for Windows ones? It can't be market share and I doubt it is because Mac users have faster Internet (so that their machines can be bigger DDOS sources, have more money to steal from them (both may or may not be true, but I doubt that fully offsets the difference in market share)

Another only thing I can think of why Mac exploits would be more expensive is that buyers expect Mac zero days to last longer, but I doubt that, too.

That leaves two reasons: because it is so easy that nobody considers it a challenge, and everybody expects someone else to pick up the price, or because it is too hard.

Alternative theories welcome.


I really have no specific explanation for it (that's really not the crew I hang out with), but exploits for the Mac ecosystem, iOS in particular, are in very high demand and do cost more.

Some theories:

I don't necessarily think it's because Mac 0-days last longer, but I know they do consider it a challenge; The difficulty may factor in to the price somehow. Maybe because there's the presumption the average user on iOS may have more cash to burn than the average Windows user.

They may have more to gain by hitting Apple employees for trade secrets.

Of course, all this is pure speculation.


That's not quite accurate. iOS exploits are worth a lot, bit OS X exploits are not worth as much. There is no relation between the two in terms of value. It's also much easier to write OS X exploits than it is to write Windows exploits in general. Windows has always been far ahead of OS X in terms of mitigations.

Safari on OS X is considered a soft target compared to the other browsers. It is the least difficult and has the fewest users. That is why the payout is less.


Never mentioned OS X. Parent did, I didn't. OS X's "soft target" status would explain why Pwn2own offered a lesser prize for Safari on it, but iOS is a different beast altogether and more likely to be carried around by Apple devs on their mobile devices. Hence my theory they may be after trade secrets.


You did, because Mac and OS X are synonymous :)

It has nothing to do with being after trade secrets from Apple employees. The people who sell both iOS and Mac (OS X) exploits do not sell them to people trying to steal Apple's trade secrets.


Safari on OS X has some good mitigation a these days, such as running the web content in a separate sandboxed process, which Friefox does not do. I suspect attackers either failed to find or did not want to burn their WebProcess sandbox escape.


One issue may be that the usage share for IE10 is almost negligible currently because it hasn't landed on Windows 7 yet. (But it will soon, so... hmm.)

Pwn2own bounty for breaking IE9 is only $75,000.

Bug price list 1 year ago:

http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppin...

It is indeed too bad that the Safari bounty is only $65,000.

And IE9's bounty is only $75,000.

So yeah, perhaps these bugs are being sold to governments instead.


IE10 for win7 was released last week.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: