“A team of security researchers has won $10,000 for hacking a MacBook Air in two minutes using an undisclosed Safari vulnerability,” Tom Krazit reports for CNET.
“IDG News Service is camped out at CanSecWest in lovely Vancouver, Canada, and has chronicled the exploits (gotta love security puns) of Charlie Miller, Jake Honoroff, and Mark Daniel of Independent Security Evaluators during the Pwn to Own contest sponsored by TippingPoint. The team was able to gain control of a MacBook Air on the second day of the hacking competition,” Krazit reports.
“The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were ‘tricked’ into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air,” Krazit reports.
Full article here.
Robert McMillan reports for IDG New Service, “Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.”
“Miller was quickly given a nondisclosure agreement to sign and he’s not allowed to discuss particulars of his bug until the contest’s sponsor, TippingPoint, can notify the vendor,” McMillan reports.
“Last year’s contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize,” McMillan reports. “Dai Zovi, who congratulated Miller after his hack, didn’t participate in this year’s contest, saying it was time for someone else to win.”
Full article here.
[Thanks to MacDailyNews Readers “David,” “The_Wzrd,” and “RadDoc” for the heads up.]
MacDailyNews Take: Congrats to Charlie Miller, Jake Honoroff, and Mark Daniel! 10 grand and a new MacBook Air ain’t too shabby. And thanks for helping make Safari safer!
UPDATE: 3/28, 11:07am EDT: Please note that the time it took to “hack” the Mac is utterly irrelevant. Yes, it took a few minutes at the conference, but the amount of time that went into discovering the vulnerability within Safari and creating the malevolent website to deliver the payload should obviously be counted by those who are obsessed with timing.
Standby for the deluge of FUD that’s sure to result from those with agendas that differ from those who are dedicated to simply reporting the facts. There is a lot of money behind keeping the increasingly-antsy Windows sheep in their pen. And lies and distortion are the only effective ammo they have left.
We immediately wondered, why they didn’t install Safari on the Windows laptop and “hack” that instead. Although the rules may bar installing additional apps, regardless, they probably wanted that MacBook Air. Then we looked at the CanSecWest list of sponsors which — you guessed it — includes Microsoft, but not Apple.
Check out RoughlyDrafted for more on this charade here.