The two-day "PWN to Own" hack-a-Mac contest,
organized by CanSecWest, in Vancouver, British Columbia was the base for
competitors to show off their hacking talents. One team stood up to
challenge and managed to exploit the Mac in 9 hours. Shane Macaulay, a software
engineer, won the very MacBook that he exploited, through a zero-day security
hole in Apple's Safari browser.
Macaulay's attack on the MacBook came with the aid of Dino Dai Zovi, a
security researcher who had been previously credited by Apple for finding flaws
in the company's software. In a telephone interview with CNET,
Dai Zovi stated, "The vulnerability and the exploit are mine. Shane
is my man on the ground." According to the
CanSecWest website, there is an exploitable flaw in Safari which can be
triggered within a malicious web page.
Apple spokeswoman, Lynn Fox, gave the usual comment on Mac security,
"Apple takes security very seriously and has a great track record of
addressing potential vulnerabilities before they can affect users."
The hack-a-Mac contest consists of two MacBooks set up with their own access
point and all security updates installed, but without additional security
software. Contestants will be able to connect to the computers through
the access point through Ethernet or Wi-Fi. According to the
website, the two parts of the challenge include finding a flaw that allows
the attacker to get a shell with user level privileges, then doing the
same and also getting root.
The second OS X box did not get exploited by the second and last day.
quote: Mac OS X has had advanced user permissions since day one (6 years ago) just like Vista, except OS X requires password confirmation for admin-tasks (unlike vista, where you just click "ok").
quote: 2) The exploit they did use was in Safari. So maybe we should call this deadline "hacking Safari."
quote: 3) Since when did "hacking" become emailing a link to a malicious webpage which the user then has to click on? Seriously guys? Seriously!?
quote: How many IE or Firefox flaws exist that allow you to do this to a Vista or XP machine?
quote: Hacking a Macbook should mean taking control away from the user just by them being on the unsecured WiFi...
quote: Those types of attacks were the REAL security flaws to be nervous about in XP.
quote: This is all mute because this has been fixed by both mac and windows. I do remember the apple was fixed first
quote: How many IE or Firefox flaws exist that allow you to do this to a Vista or XP machine? quote: None, since someone fixed them already.
quote: None, since someone fixed them already.