Mac hacked in security contest via undisclosed Safari vulnerability

“A team of security researchers has won $10,000 for hacking a MacBook Air in two minutes using an undisclosed Safari vulnerability,” Tom Krazit reports for CNET.

“IDG News Service is camped out at CanSecWest in lovely Vancouver, Canada, and has chronicled the exploits (gotta love security puns) of Charlie Miller, Jake Honoroff, and Mark Daniel of Independent Security Evaluators during the Pwn to Own contest sponsored by TippingPoint. The team was able to gain control of a MacBook Air on the second day of the hacking competition,” Krazit reports.

“The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were ‘tricked’ into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air,” Krazit reports.

Full article here.

Robert McMillan reports for IDG New Service, “Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.”

“Miller was quickly given a nondisclosure agreement to sign and he’s not allowed to discuss particulars of his bug until the contest’s sponsor, TippingPoint, can notify the vendor,” McMillan reports.

“Last year’s contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize,” McMillan reports. “Dai Zovi, who congratulated Miller after his hack, didn’t participate in this year’s contest, saying it was time for someone else to win.”

Full article here.

[Thanks to MacDailyNews Readers “David,” “The_Wzrd,” and “RadDoc” for the heads up.]

MacDailyNews Take: Congrats to Charlie Miller, Jake Honoroff, and Mark Daniel! 10 grand and a new MacBook Air ain’t too shabby. And thanks for helping make Safari safer!

UPDATE: 3/28, 11:07am EDT: Please note that the time it took to “hack” the Mac is utterly irrelevant. Yes, it took a few minutes at the conference, but the amount of time that went into discovering the vulnerability within Safari and creating the malevolent website to deliver the payload should obviously be counted by those who are obsessed with timing.

Standby for the deluge of FUD that’s sure to result from those with agendas that differ from those who are dedicated to simply reporting the facts. There is a lot of money behind keeping the increasingly-antsy Windows sheep in their pen. And lies and distortion are the only effective ammo they have left.

We immediately wondered, why they didn’t install Safari on the Windows laptop and “hack” that instead. Although the rules may bar installing additional apps, regardless, they probably wanted that MacBook Air. Then we looked at the CanSecWest list of sponsors which — you guessed it — includes Microsoft, but not Apple.

Check out RoughlyDrafted for more on this charade here.

68 Comments

  1. I would like to know exactly how they were “tricked” into visiting a site. Did they think they were going to win a pink iPhone? Did they get a shaking pop-up window saying they have a virus? Or did they get an email saying that Visa needed to confirm their personal information?

    Those are all VERY tricky (especially the pop-up window when it looks like it came straight from Win95).

  2. I wonder if this is with the latest Safari that was just released 3.1??

    Also I wonder how many people tried to have the Mac compared to the Linux and Windows machines?? Like was it 50 people tried to hack the mac and 5 tried to hack Linux and Windows over the 2 day period? Kinda hard to believe no one has hacked Windows yet!!

    I figured the Mac would be the first one to go with all the security news and stuff that the Mac is the most secure……kinda a slap in the face to us Mac users!!

  3. Maybe they were tricked into thinking it was an MDN article … and then BOOM! Air foiled!

    Seriously though, if it is invoked simply by visiting a site then Apple has a problem to solve. Good thing they’ll know about it first.

  4. From what i’ve read, it seems this guy was the first to try to hack into ANY of the machines. Meaning the Windows and Linux machines were not being hacked into at all. This guy just happens to be the first one up and he chose to hack the Mac. And he had to get the organisers to go to a specific website for the exploit to work.

    Also, i”m sure it took him much more than 2 mins to come up with the exploit in the first place. Reports so far have not been accurate at all, misleading at worst.

    Well, lets hope Apple closes the bug asap. In the meantime, get ready for the “Macs are not secure” crap from losers everywhere.

  5. Prior setup of the security exploit…

    then two minutes to send the judges an email and get them to go to the site…

    he didn’t discover and create the exploit in two minutes.

    Lets be real, during the prior day nobody achieved a break-in but just like last year everybody new the “conditions” would change.

    bogus

  6. Oh for crying out loud. Be happy. This will improve Mac security. It’s a good thing. I have declared myself the world’s screechiest and most annoying fanboy. If you don’t believe me, check rip-ragged.com. But I still think it’s cool that hackers are trying to hack the Mac.

    The best part is, with $10k on the table, smart hackers still needed social engineering to get the job done. One more reason to be glad I have Macs.

    Well done, Charlie. Keep up the good work.

  7. Yep perfect take from MDN. Get Apple to see the problem now and fix it. So Macs are safer than ever. While Windows still has its big ass wide open, to match their big ass table. ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />

  8. @ Just Wondering

    Is your question an acknowledgment that you’re really dumb?

    No intelligent Mac user has ever (EVER) suggested that Mac is immune from invasion. It’s just that there’s nothing to be immune from, yet.

    Fact: There is still no Mac malware in the wild that can be downloaded without social engineering.

    None.

  9. Obviously he wanted the MacBook Air, not the other two lap tops . . . .Maybe all three operating systems should have been natively set up on one of three MBA’s.
    ” width=”19″ height=”19″ alt=”smile” style=”border:0;” />

  10. From the first article:

    As of the time I posted this, no one had gained control of the Vista or Ubuntu machines, but I’ll update later as the results come in over the rest of the afternoon.

    Spin it anyway you want but that stings. Expect MS fanboys to be all over that one.

  11. And a friend of mine who literally was angry at me for trying to convince him to go for a mac, will now probably say “See, macs are vulnerable too” and he will feel vindicated he went with Toshiba/Vista, and venture on in his malware infested world with a sense of satisfaction.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.