“A team of security researchers has won $10,000 for hacking a MacBook Air in two minutes using an undisclosed Safari vulnerability,” Tom Krazit reports for CNET.
“IDG News Service is camped out at CanSecWest in lovely Vancouver, Canada, and has chronicled the exploits (gotta love security puns) of Charlie Miller, Jake Honoroff, and Mark Daniel of Independent Security Evaluators during the Pwn to Own contest sponsored by TippingPoint. The team was able to gain control of a MacBook Air on the second day of the hacking competition,” Krazit reports.
“The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were ‘tricked’ into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air,” Krazit reports.
Full article here.
Robert McMillan reports for IDG New Service, “Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.”
“Miller was quickly given a nondisclosure agreement to sign and he’s not allowed to discuss particulars of his bug until the contest’s sponsor, TippingPoint, can notify the vendor,” McMillan reports.
“Last year’s contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize,” McMillan reports. “Dai Zovi, who congratulated Miller after his hack, didn’t participate in this year’s contest, saying it was time for someone else to win.”
Full article here.
[Thanks to MacDailyNews Readers “David,” “The_Wzrd,” and “RadDoc” for the heads up.]
MacDailyNews Take: Congrats to Charlie Miller, Jake Honoroff, and Mark Daniel! 10 grand and a new MacBook Air ain’t too shabby. And thanks for helping make Safari safer!
UPDATE: 3/28, 11:07am EDT: Please note that the time it took to “hack” the Mac is utterly irrelevant. Yes, it took a few minutes at the conference, but the amount of time that went into discovering the vulnerability within Safari and creating the malevolent website to deliver the payload should obviously be counted by those who are obsessed with timing.
Standby for the deluge of FUD that’s sure to result from those with agendas that differ from those who are dedicated to simply reporting the facts. There is a lot of money behind keeping the increasingly-antsy Windows sheep in their pen. And lies and distortion are the only effective ammo they have left.
We immediately wondered, why they didn’t install Safari on the Windows laptop and “hack” that instead. Although the rules may bar installing additional apps, regardless, they probably wanted that MacBook Air. Then we looked at the CanSecWest list of sponsors which — you guessed it — includes Microsoft, but not Apple.
Check out RoughlyDrafted for more on this charade here.
Judges were “tricked into visiting the site.” Give me a break. This is socially engineered BS that won’t work “in the wild.”
see?
I would like to know exactly how they were “tricked” into visiting a site. Did they think they were going to win a pink iPhone? Did they get a shaking pop-up window saying they have a virus? Or did they get an email saying that Visa needed to confirm their personal information?
Those are all VERY tricky (especially the pop-up window when it looks like it came straight from Win95).
I wonder if this is with the latest Safari that was just released 3.1??
Also I wonder how many people tried to have the Mac compared to the Linux and Windows machines?? Like was it 50 people tried to hack the mac and 5 tried to hack Linux and Windows over the 2 day period? Kinda hard to believe no one has hacked Windows yet!!
I figured the Mac would be the first one to go with all the security news and stuff that the Mac is the most secure……kinda a slap in the face to us Mac users!!
Maybe they were tricked into thinking it was an MDN article … and then BOOM! Air foiled!
Seriously though, if it is invoked simply by visiting a site then Apple has a problem to solve. Good thing they’ll know about it first.
From what i’ve read, it seems this guy was the first to try to hack into ANY of the machines. Meaning the Windows and Linux machines were not being hacked into at all. This guy just happens to be the first one up and he chose to hack the Mac. And he had to get the organisers to go to a specific website for the exploit to work.
Also, i”m sure it took him much more than 2 mins to come up with the exploit in the first place. Reports so far have not been accurate at all, misleading at worst.
Well, lets hope Apple closes the bug asap. In the meantime, get ready for the “Macs are not secure” crap from losers everywhere.
maybe they visited a porn site LOL
Prior setup of the security exploit…
then two minutes to send the judges an email and get them to go to the site…
he didn’t discover and create the exploit in two minutes.
Lets be real, during the prior day nobody achieved a break-in but just like last year everybody new the “conditions” would change.
bogus
Oh for crying out loud. Be happy. This will improve Mac security. It’s a good thing. I have declared myself the world’s screechiest and most annoying fanboy. If you don’t believe me, check rip-ragged.com. But I still think it’s cool that hackers are trying to hack the Mac.
The best part is, with $10k on the table, smart hackers still needed social engineering to get the job done. One more reason to be glad I have Macs.
Well done, Charlie. Keep up the good work.
Question of MDN — is your ‘take’ some sort of an acknowledgment that the days of Mac being immune from invasion are over?
Yep perfect take from MDN. Get Apple to see the problem now and fix it. So Macs are safer than ever. While Windows still has its big ass wide open, to match their big ass table.
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
@ Just Wondering
Is your question an acknowledgment that you’re really dumb?
No intelligent Mac user has ever (EVER) suggested that Mac is immune from invasion. It’s just that there’s nothing to be immune from, yet.
Fact: There is still no Mac malware in the wild that can be downloaded without social engineering.
None.
Obviously he wanted the MacBook Air, not the other two lap tops . . . .Maybe all three operating systems should have been natively set up on one of three MBA’s.
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
From the first article:
As of the time I posted this, no one had gained control of the Vista or Ubuntu machines, but I’ll update later as the results come in over the rest of the afternoon.
Spin it anyway you want but that stings. Expect MS fanboys to be all over that one.
And a friend of mine who literally was angry at me for trying to convince him to go for a mac, will now probably say “See, macs are vulnerable too” and he will feel vindicated he went with Toshiba/Vista, and venture on in his malware infested world with a sense of satisfaction.
“after judges were ‘tricked’ into visiting the site”
I bet it was one of those pop-ups that said “Win a free MacBook Air” and had lots of flashing lights…
You won’t find a bigger Mac fanboy than me. I have been advocating Macs for years and am typing this on my new MacBook Air. I have worked in the security industry for 15 years and all of you who say that social engineering doesn’t count are morons. The biggest threats in all of security are due to social engineering. Phishing, e-mail attachments, free porn, any number of techniques can be used to trick someone to a site. That doesn’t even count the fact that a hacker could simply take over a legitimate site and include this hack on their site.
Security is a serious challenge faced by all OS vendors and you won’t hear Steve Jobs say any differently because he’s not stupid. It’s brainless fanaticism that prevents people from recognizing the real superiority of the OSX operating system.
“As of the time I posted this, no one had gained control of the Vista or Ubuntu machines, but I’ll update later as the results come in over the rest of the afternoon.”
No one is interested to hack Vista. It’s not challenging enough.
here’s an interesting quote
“The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were “tricked” into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air.”
From this it seems that the contestants who won came prepared for that day’s round, and didn’t spend any time crafting or looking for the exploit as they targeted a vulnerability in Safari that was already known; hence the small amount of time it took to take over the MBA.
I wonder if it would’ve taken 2 mins the take over had they been forced to look for the exploit and spend the day writing the code.
While I congratulate them on their work, it seems somewhat disingenuous. It would be more shocking if they had discovered a new vulnerability during the course of the day, and not had been prepped in some way.
“You kaint fix stoopid.”
Sure, social engineering counts. But it requires each machine to be infected independently, through misguided operation. It isn’t a vulnerability of the machine, but a vulnerability of the user. Or as my sainted granddaddy used to say, “It’s the loose nut behind the wheel.”
You can’t make cars or computers any safer than the people who operate them.
Here is a question I have been wondering about. Can simply going to a website open up terminal access to that website? I always thought terminal required a password to access.
My bad, I miss read the part about the Safari vulnerability, as the rules and the TippingPoint site blog states it has to be a “a brand new 0day vulnerability”. That being said, I take back my statement of exploiting a known vulnerability.
I do still stand by my opinion regarding the amount of time it took to execute the exploit.
BTW, if you look at the pic on TippingPoint blog it appears that the contestants used a MBPro to construct or at least “trick” the contest to surf to there predesigned site.
Did read original article, and have a lot of questions.
What does it mean when they say:
“to gain access … and retrieve a file … a newly discovered vulnerability in Safari was used to gain control of the Air.”
Did they gain “access” or did they gain “control” ?
And all they did was transfer a file ?
Which file, what kind, from where ?
If one of the obscure System/Safari files that might hold keychain info or a password in cache not yet dumped from a previous site, or something along those lines, then they might have something.
But if, say, an mp3 … c’mon, we let folks have access to our computer all the time for those files everytime we fire up a p2p program. So there’s a definition of how someone “gained access and retrieved a file.”
Need to have some more info and details about this for me to buy it as a real problem and believe someone can truly gain “control” of my machine.
Anyone with insight in all this, please comment.
Thanks, BC in Tally
Hey MDN what the heck is that MS add at the bottom of the page? go green and stay green–I think that is for all the ITs working on window machines!