One More Thing Subscribe to One More Thing
March 27, 2008 4:24 PM PDT

MacBook Air hacked in security contest

Posted by Tom Krazit

A team of security researchers has won $10,000 for hacking a MacBook Air in two minutes using an undisclosed Safari vulnerability.

IDG News Service is camped out at CanSecWest in lovely Vancouver, Canada, and has chronicled the exploits (gotta love security puns) of Charlie Miller, Jake Honoroff, and Mark Daniel of Independent Security Evaluators during the Pwn to Own contest sponsored by TippingPoint. The team was able to gain control of a MacBook Air on the second day of the hacking competition, which pitted the Air against Windows Vista and Ubuntu machines.

Charlie Miller pwns a MacBook Air at CanSecWest.

(Credit: TippingPoint)

No one was able to execute code on any of the systems on Wednesday, the first day of the contest, when hacks were limited to over-the-network techniques on the operating systems themselves. But on the second day, the rules changed to allow attacks delivered by tricking someone to visit a maliciously crafted Web site, or open an e-mail. Hackers were also allowed to target "default installed client-side applications," such as browsers.

The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were "tricked" into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air.

The contest rules stipulated that winners immediately sign a nondisclosure agreement relating to their technique, so that the vulnerability could be disclosed to the vendor, and TippingPoint said Apple has been informed of the vulnerability.

Last year's contest was won by exploiting a QuickTime vulnerability, which was patched by Apple in less than two weeks. As of the time I posted this, no one had gained control of the Vista or Ubuntu machines, but I'll update later as the results come in over the rest of the afternoon.

UPDATED 3/29 11:45am PT - The Vista laptop fell on the last day of the conference. Check out this story for more details.

Recent posts from One More Thing
Touch-screen BlackBerry coming soon?
Intel denies report of Atom-based iPhone in the pipeline
One iPhone to live: Today's episode
Intel Germany executive reportedly confirms Atom-based iPhone
IBM putting Lotus Connections on BlackBerry
Add a Comment (Log in or register) 112 comments (Page 1 of 3)
Here it comes
by Lee in San Diego March 27, 2008 5:03 PM PDT
The troll posts
Reply to this comment View all 3 replies
But, the Mac was built with Security in mind
by delf76 March 27, 2008 5:45 PM PDT
I'm not a Mac hater, but I do find this mildly amusing. If you watch the Mac Commercials and read their website, Apple boasts that the Mac OS was built with security in mind, making it sound like it's completely unhackable. I think we are going to start seeing a lot more security exploits on the Mac OS over the next few years, as it gains popularity.
Reply to this comment View all 7 replies
Now, to educate computer users
by slimshady007 March 27, 2008 6:32 PM PDT
"No one was able to execute code on any of the systems on Wednesday, the first day of the contest, when hacks were limited to over-the-network techniques on the operating systems themselves." So all three systems were unhackable without some "user error" involved? I mean, duh, if you actually go out and access a website/URL, you're putting yourself at risk, even if it looks legit. Time to start teaching people to better identify fraud/scam URLs. (Although it's nice to have the "hole" patched so that you can make the user less dangerous to the system.) Tim G.
Reply to this comment View reply
Cut the fanboyism
by Headfoot March 27, 2008 7:05 PM PDT
Here's the deal: one of Apple's big selling points is security which is dependent on number of users. More people trying to hack, more hacks found. So by Mac being more secure it then becomes less secure. (The security causes it to sell more, increasing its market saturation, therefore making it a more likely target). I just find it funny that the Mac system is the first to be hacked. What I find funnier is that the fanboys sell it off because "They want the MBA more". Yeah right. I think they want the 10,000 dollars most. It probably took them longer to hack Vista because of the massive amount of bloat slowed the system they were using to a crawl. :)
Reply to this comment View all 2 replies
PC > MAC
by RobX2 March 27, 2008 7:09 PM PDT
proves that macs are useless. just like the iphone... goodjob apple
Reply to this comment View all 3 replies
not true
by laynemoseley March 27, 2008 7:12 PM PDT
if you had a mac or a iphone you would have a different opinion...
Reply to this comment
"The team had attack code already set up on a Web site,"
by johnqh March 27, 2008 7:29 PM PDT
Sounds like they hacked the OSX BEFORE going into the contest, and took advantage of the rule changes. Dude, that's pretty unfair to the other teams. So, if you ever found a security hole in any OS, don't make it public. Instead, wait for some contest like this, and pocket your money.
Reply to this comment View all 2 replies
Premature Opinions
by lawrencewinkler March 27, 2008 7:48 PM PDT
I don't think anyone had the right to give an opinion about this story. There was nothing stated about what the flaw was, what was the "trick" that "encouraged" the judges to enter the demon site. Until more details are reported, one simply cannot determine the seriousness of the Safari flaw or its ubiquity on Macs (or similar flaws on other platforms). Until those details are made available, one should simply keep quiet.
Reply to this comment
The Funny Thing Is
by Olu070 March 27, 2008 8:02 PM PDT
Most Windows Fanbois think all Mac users believe OSX is invulnerable. Most Mac Fanbois think that OS X IS invulnerable. The rest of Mac and Windows users use caution when using their computers. As a Mac user I know that no OS is invulnerable and there WILL come a time when real exploits and viruses hit OSX. However if OS-X had as many viruses and exploits as Windows I'd still prefer to use my MBP which runs BOTH Oses simultaneously with little fanfare.
Reply to this comment View all 2 replies
Who did it?
by trd1282 March 27, 2008 8:25 PM PDT
From the picture, it looks like a bunch of MAC users to me, am I wrong?
Reply to this comment
1 | 2 | 3 | Next 10 Comments >>
Powered by Jive Software
advertisement

  • About One More Thing

  • At the start of the 21st century, there's no tech outfit more influential than Apple. CNET News.com's Tom Krazit will attempt to make sense of the rumors, hype, products, and people that will shape the future of the company. But Apple's not the only game in town, as the established cell phone companies strike back against the iPhone, and chipmakers try to figure out how to move past PCs and slip into a little something more comfortable.
    Email Tom at Tom.Krazit@cnet.com.

Add this feed to your online news reader
Google
Yahoo
MSN

One More Thing topics

Stuff I'm reading:

Blogroll


Most popular stories

  1. CBS to buy CNET Networks

  2. Intel Germany executive reportedly confirms Atom-based iPhone

  3. Images: Microsoft telescope puts universe on your desktop

  4. Photos: Microsoft previews 2008 Xbox games

  5. Xbox 360 hits 10 million sold in U.S.

Latest tech news headlines

All News.com headlines »

Featured blogs

Beyond Binary by Ina Fried

Coop's Corner by Charles Cooper

Defense in Depth by Robert Vamosi

Geek Gestalt by Daniel Terdiman

Green Tech

Outside the Lines by Dan Farber

The Iconoclast by Declan McCullagh

The Social by Caroline McCarthy

Underexposed by Stephen Shankland

Resource center from News.com sponsors

advertisement
Welcome (log out) |View profile
Log in | Sign up Why join?
On GameSpot: Banjo and Kazooie return on the Xbox 360
Advanced
search
advertisementGet more done with Windows Mobile
Advanced
search
Visit other CNET Networks sites: