Print 24 comment(s) - last by AraH.. on Apr 25 at 9:09 AM

MacBook attacked through security hole in Safari web browser

The two-day "PWN to Own" hack-a-Mac contest, organized by CanSecWest, in Vancouver, British Columbia was the base for competitors to show off their hacking talents.  One team stood up to challenge and managed to exploit the Mac in 9 hours.  Shane Macaulay, a software engineer, won the very MacBook that he exploited, through a zero-day security hole in Apple's Safari browser.

Macaulay's attack on the MacBook came with the aid of Dino Dai Zovi, a security researcher who had been previously credited by Apple for finding flaws in the company's software.  In a telephone interview with CNET, Dai Zovi stated, "The vulnerability and the exploit are mine.  Shane is my man on the ground."  According to the CanSecWest website, there is an exploitable flaw in Safari which can be triggered within a malicious web page.

Apple spokeswoman, Lynn Fox, gave the usual comment on Mac security, "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."

The hack-a-Mac contest consists of two MacBooks set up with their own access point and all security updates installed, but without additional security software.  Contestants will be able to connect to the computers through the access point through Ethernet or Wi-Fi.  According to the website, the two parts of the challenge include finding a flaw that allows the attacker to get a shell with user level privileges, then doing the same and also getting root.

The second OS X box did not get exploited by the second and last day.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: "Hacking" eh?
By Scott66 on 4/24/2007 1:42:14 AM , Rating: 1
That mac wifi exploit could only work if the mac user decided it would be a good idea to connect to a different non preferred network.

The hacker couldn't take over the wi-fi connection. He had to wait until the user handed him the control.

This is all mute because this has been fixed by both mac and windows. I do remember the apple was fixed first.

RE: "Hacking" eh?
By James Holden on 4/24/2007 2:10:12 AM , Rating: 2
This is all mute because this has been fixed by both mac and windows. I do remember the apple was fixed first

I'm not one to correct grammar usually, but the word you're looking for is *moot*

RE: "Hacking" eh?
By MonkeyPaw on 4/24/2007 7:40:52 AM , Rating: 2
Yeah, just think back to the movie "Office Space" and Tom's "Jump to Conclusions" mat. "Moot" is one of the "conclusions" that you can jump to. No kidding, that's how I learned the word "moot." :)

RE: "Hacking" eh?
By Scott66 on 4/24/2007 11:06:49 AM , Rating: 2
I apologize for using the wrong word. What I did though though is not a grammatical mistake but a homonym error. At least I tried to use the right word. If you wish to point the flaws in other, don't make one yourself.

RE: "Hacking" eh?
By OCedHrt on 4/24/2007 3:38:02 AM , Rating: 4
Did you even read the article?

"...this attack can be carried out whether or not a vulnerable targeted laptop connects with a local wireless network. It is, they said, enough for a vulnerable machine to have its wireless card active for such an attack to be successful."

Of concern is that on Windows, device driver updates are not automatically installed by Windows Update.

"We’re Apple. We don’t wear suits. We don’t even own suits." -- Apple CEO Steve Jobs

Copyright 2015 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki