“Two tricked-out MacBook laptops have survived the first day of a ‘PWN to OWN’ contest that dared hackers to take control of default Mac OS X installations,” Ryan Naraine blogs for ZDNet.
“The contest started around midday Thursday, the second day of the CanSecWest conference here and triggered interest from hackers in attendance… Organizers say they have seen ‘some activity’ on the network set up with the two new MacBooks — a 17″ and a 15″ — but details remained scarce when the day ended,” Naraine reports. “To win, the attacker must commandeer the machine and find a file with instructions on how to SSH to a server to authenticate the hijack.”
Naraine reports, “On the second day, the barrier will be lowered a bit and the attackers will be allowed to put exploit code on a special wiki and launch drive-by exploits on the Mac’s built-in Safari browser. If the machines survive this level, the attacker will be allowed to connect to over USB or Bluetooth.”
Full article here.
If they really want to give away the MacBooks and the $10,00 prize, on the third day they ought to install Boot Camp and Windows on them. It would probably take about 10 minutes to find a winner.
Related articles:
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006
I’m sceptical. How come this was’nt done before ? And if it’s real, maybe security through obscurity was true, after all.
I love the Mac, but this is got to be the funniest thing ever. Specially after reading so many OS X is impregnable comments. It been creaked!
2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Allow
One OSX box has been owned! At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go. (the same flaw cannot be used again, but other Safari bugs are allowed)
Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root.
2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Allow
One OSX box has been owned! At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go. (the same flaw cannot be used again, but other Safari bugs are allowed)
Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root.
Sorry, it looks like I double posted.
Was this successful attack accomplished after they “lowered the bar” for security?
So a hacker would have to have my email address to send me a URL in order for this to work? I feel pretty safe still.
Safari has always been weak.
The Reality Distortion Field collapses.
I think I’ll take up gardening, at least there I can squash the bugs with success.
This exploit gives the malicious website the ability to access anything in the users folder.
It’s not “root” at least not yet.
It could place a malicious process in the user folder to auto-start and wait for the admin password (aka sudo window) to open.
Or it could simply ask the user, but that’s too obvious.
The only thing protecting us Mac users is our low market share.
Nice to see they were able to cheat to get in. I bet you could hack my system too if I was stupid enough to go to a website setup to make that happen.
” width=”19″ height=”19″ alt=”rolleyes” style=”border:0;” />
Proof of Concept!
http://www.metacafe.com/watch/421856/satisfy_your_appetency/
“Was this successful attack accomplished after they “lowered the bar” for security?”
Umm yes, lowered considerably.
Sorry Windows fanboyz, but this hardly proves that OS X is as weak as the shit you have.
It doesn’t matter if the so called “bar was lowered”, Safari is used by most Mac users nearly all the time.
Far as I’m concerned, the contest is rigged anyway.
Give the whole internet accesss to those Macs and they would be pwned in minutes.
It’s a shame to Apple that it only took a day to hack a Mac.
Imagine what the entire internet with months could accomplish.
What is really funny is how it took an entire conference room full of geek hackers 2 full days to finally get in, and only then after the security had been lowered a great deal on the target machine.
Had they been hacking at Windows, they would have been able to pull it off in only 2 minutes, not 2 days.
” agree. Why are they lowering the barriers? Not very realistic, “
If by Lowering the Barriers you mean having the machine actually do something an end user will do all the time like browse the Internet, send/receive mail etc, rather than just sit there not running any services with nobody doing anything on it, it doesn’t sound unreasonable.
Winner mentioned here too:
http://www.theregister.co.uk/2007/04/20/pwn-2-own_winner/
At the time of writing there are 2 comments on that article and the second warrants a good response.
“Imagine what the entire internet with months could accomplish.”
Umm, they’ve had 6 years now and they still haven’t accomplished jack squat yet. No Mac with OS X has been hacked out in the wild yet. Hacking a rigged machine at a conference doesn’t qualify as “in the wild” ya know….
Of course we will see what the spin masters of MDN will do with this recent turn of events.
Maybe they should just say, “OK, Safari and Mac OS X needs some work”
Hopefully Apple has been paying attention and will make some MAJOR Compartmentalized changes to Mac OS 10.5’s security structure.
95% of exploits are application based.
There isn’t a reason in the world why simple programs like NeoOffice need a admin password (root access) to install.
There isn’t a reason in the world why any program outside of cloning or system maintainence software needs root level access to our operating system.
But they demand it anyway.
“Hacking a rigged machine at a conference doesn’t qualify as “in the wild” ya know….”
All it proves is nobody can be bothered hacking a Mac for less than $12,500 in cash and hardware, and when the reward is high enough, it’s done within hours.
Headline: Hacker breaks into Mac at security conference
Link:
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_and_hacking&articleId=9017380&taxonomyId=82&intsrc=kc_top
MW: Never. Ooops.
Don’t worry, Steve will announce new security features..soon.
The smugness that oozes from MDN needs to be tempered with common sense. It looks like Safari has it’s own share of problems that need addressing given the Mac has been hacked and the contest is now over – who knows what other avenues remain open?
Until MDN can stop bleating like a child it will continue to perpetuate the negative perceptions of Macs and Mac users that are still so prevalent. Is there any wonder that Mac users are described as fanatics when you read the rampant chest-beating on these pages?
Instead of trying to spin every article it mirrors, MDN would better serve its readers by removing the adolescent diatribes and presenting the facts in an honest and balanced way.
Grow up MDN – Mac users deserve better.
Wasn’t this a contest to hack into Mac OS X? They didn’t do that. They found a flaw in Safari, which is an application that runs on OS X.
Also, were the hackers allowed to sit down and use the Macs to surf to a specific web site that contained the hacker’s code? How is that “real-world”? I’m certainly not going to let some random person use my laptop. I thought the point was to prove that anyone’s Mac could be compromised, not just those use let strangers use Safari to access questionable web sites.
As expected, the Mac-haters are crowing very loudly (WiseGuy – who obviously isn’t). By tomorrow there will be stories in every tech web-site loudly proclaiming that the Mac Is Every Bit As Insecure As All Windows PCs! Doesn’t mean that this contest was over-contrived and unfair.
I wonder if the sponsors of the prize money just-so-happen to sell security software for the Mac…
Tom
I totally agree with your statement.
Apple has really been trying to get away from rabid fanaticism that it needed earlier to survive.
It’s sites like this one, as well as rumor sites, that have to “invent” something in order for them to attract people.
Many Mac sites just give the “news” but sites like this one create controversy, combined with it’s no registration “freewheeling” posting feature, do generate a lot of interest.
So don’t assume all Mac users are rabid vocalists, it’s just those get all the attention.
does this mean my Mac is vulnerable? (closes Macbook, opens IBM ThinkPad)….