“A team of security researchers has won $10,000 for hacking a MacBook Air in two minutes using an undisclosed Safari vulnerability,” Tom Krazit reports for CNET.
“IDG News Service is camped out at CanSecWest in lovely Vancouver, Canada, and has chronicled the exploits (gotta love security puns) of Charlie Miller, Jake Honoroff, and Mark Daniel of Independent Security Evaluators during the Pwn to Own contest sponsored by TippingPoint. The team was able to gain control of a MacBook Air on the second day of the hacking competition,” Krazit reports.
“The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were ‘tricked’ into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air,” Krazit reports.
Full article here.
Robert McMillan reports for IDG New Service, “Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.”
“Miller was quickly given a nondisclosure agreement to sign and he’s not allowed to discuss particulars of his bug until the contest’s sponsor, TippingPoint, can notify the vendor,” McMillan reports.
“Last year’s contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize,” McMillan reports. “Dai Zovi, who congratulated Miller after his hack, didn’t participate in this year’s contest, saying it was time for someone else to win.”
Full article here.
[Thanks to MacDailyNews Readers “David,” “The_Wzrd,” and “RadDoc” for the heads up.]
MacDailyNews Take: Congrats to Charlie Miller, Jake Honoroff, and Mark Daniel! 10 grand and a new MacBook Air ain’t too shabby. And thanks for helping make Safari safer!
UPDATE: 3/28, 11:07am EDT: Please note that the time it took to “hack” the Mac is utterly irrelevant. Yes, it took a few minutes at the conference, but the amount of time that went into discovering the vulnerability within Safari and creating the malevolent website to deliver the payload should obviously be counted by those who are obsessed with timing.
Standby for the deluge of FUD that’s sure to result from those with agendas that differ from those who are dedicated to simply reporting the facts. There is a lot of money behind keeping the increasingly-antsy Windows sheep in their pen. And lies and distortion are the only effective ammo they have left.
We immediately wondered, why they didn’t install Safari on the Windows laptop and “hack” that instead. Although the rules may bar installing additional apps, regardless, they probably wanted that MacBook Air. Then we looked at the CanSecWest list of sponsors which — you guessed it — includes Microsoft, but not Apple.
Check out RoughlyDrafted for more on this charade here.
maybe they visited a porn site LOL
I visit porn sites. But only foreign ones so I’m pretty sure they’re safe.
I don’t know how many times MDN has posted this caveat for other reasons, but it applies here as well.
All computers have vulnerabilities and every Mac (probably) has 3rd party software from apps to plug-ins that potentially could be exploited. The Macintosh OS has tons of code from open source that has shown itself less than impenetrable.
Before you flame, I’m not dissing the Mac OS. I use it every day and only use Windoze when paid to (at work) or when bailing out someone I know with a virus-trashed or crashed PC.
Complex systems (and Mac OS X qualifies) open so many possible combinations and interactions of code that there are bound to be vulnerabilities. What is amazing is how well Apple has been able to stay ahead of the game.
Bottom line- although the Mac is a solid OS it is not invulnerable and use your head so as not to be a sucker for socially engineered malware. Nothing you can buy is a replacement for common sense.
Remember Apple boys and girls to always use protection when surfing with strangers. Abstinence is still the best policy but if you must, proper protection and common sense will help protect you against many STDs (Safari Transmitted Diseases).
Gotta go. My PC just contracted Bird Flu.
Jiminy! The sky is falling!
No way would they have got into my Mac.
For example everyone should set up and use a non-Admin user account…
The proper analysis of what is really going on:
http://www.roughlydrafted.com/2008/03/28/cansecwest-and-swiss-federal-institute-of-tech-deliver-attacks-on-the-reality-of-mac-security/
Whilst you can’t argue that it was hacked, I find the repeated mention of the 2 minute time period interesting. The people who did this obviously new of the exploit beforehand, new how to make the page and then take advantage of it. I would guess that there was a lot more than 2 minutes work involved.
It’s also a little vague as to what they achieved, I don’t expect (and wouldn’t want) them to release how they did it, but what did they do? Did they control everything, have access to certain areas, what?
I’m not trying to lessen the security threat, but these things are always so vague, yet very specific in their conditions.
Yup, RoughlyDrafted explains things very well.
Little has changed, except now the media with drum up their feeding frenzy based on this “independent academic research.”
Much money is envolved: Apple has to be retained from taking the whole marked in control!
;X This sort of announcement gives some more years to Windows, Linux and PC sales to go on.
Social engineering that lead to exploits certainly does count as a security threat.
Or, if it doesn’t count for OS X then it should not count for Windows either.
Anyway, the question left unanswered is if they are able to gain access to the computer, are they doing so in a way that allows them to destroy/modify its content or is it a simple, “I’m in” kinda thing?
Why is it that every time I read about one of these contests, there’s always something like the line “Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed…”
How about, just once, establishing the rules and sticking to them..? If no one can compromise a computer remotely, then the contest ends with no winners.
But it always becomes “After contestants were allowed to sit in front of the Mac…” This doesn’t really impress me. If I have direct access to a Mac, I can see and manipulate its contents using an OS X install disc, and so can everyone else on this forum.
Here we go again with another supposed hacking contest of a Mac. How many times have we heard this story only to find out later that they all CHEATED!!!! I put this story under a BIG FAT FUD ALERT!!!!
Based on what was reported, there is way to much excuse-making on this thread by Apple fans. I’m a fan too, but this is clearly a problem for Apple/Safari that must be fixed. It is simply not acceptable for a hacker to either “gain access” or “take control” of a Mac just because it visits a website. Period.
what? no BS from ZuneTang? I figured he’d have the first post!
@ MacSheikh – In the meantime, get ready for the “Macs are not secure” crap from losers everywhere.
Yes, lets start now. Macs are not secure!
Mac heads are going to try to brush this aside like they always do (particularly on this site), but listen to what the winner said: Leopard was CHOSEN because it was the EASIEST to hack. Hear that? EASIEST. “Every time I look for [a flaw in Leopard] I find one.” said Miller. “I can’t say the same for Linux or Windows.”
Hey MDN, what’s your smug “take” on that one?
some context
http://www.roughlydrafted.com/2008/03/28/cansecwest-and-swiss-federal-institute-of-tech-deliver-attacks-on-the-reality-of-mac-security/#more-1670
Whatever. Still, in 24 years no security breaches on any of my Macs.
None.
I won’t be hacked and I damn sure won’t be tricked.
Amen, Mac Fanboy! Well said indeed.
I gotta say, I am worried about Leopard. Tiger is so rock solid. And it was so much more stable and secure on release. I keep hearing and experiencing problems on Leopard that are not consistent will any of my OSX experience beyond 10.1. Now this…
This guy just happens to be the first one up and he chose to hack the Mac.
While that may be true, this wouldn’t have worked on a PC. No additional software is allowed to be installed on the computers to be hacked. Since PC’s aren’t preinstalled with Safari, the vulnerability wouldn’t be present on PC’s. One quick way to make your Mac safe would be to run Firefox.
MDNMW: own. Are you kidding??
Here’s something for the chicken littles to chew on… This isn’t the first time that a mac has been overtaken at an event like this or in a lab… But has any mac user just surfing the web ever reported an attack like this? No. I’m thinking “congrats to this guy, but I won’t worry about mac security until I get hacked/exploited/whatever by just getting on the web.” besides, you know apple will fix it pretty quickly.
Sent from my iPod
Every year it seems we get the same old story. First day nobody is able to do it. So they relax the rules the second day to insure some level of success. Where is the excitement and more importantly, the news coverage if no one wins.
As a regular visitor to shady internet sites, this has me worried.
Oh, well. At least my right arm will finally get some rest.
okay, #1 was this a fully patched system?
and #2 what does the vulnerability let them do?? forward them to anotehr page? be asked for their password…. I dont buy it.