backtop


Print 24 comment(s) - last by AraH.. on Apr 25 at 9:09 AM

MacBook attacked through security hole in Safari web browser

The two-day "PWN to Own" hack-a-Mac contest, organized by CanSecWest, in Vancouver, British Columbia was the base for competitors to show off their hacking talents.  One team stood up to challenge and managed to exploit the Mac in 9 hours.  Shane Macaulay, a software engineer, won the very MacBook that he exploited, through a zero-day security hole in Apple's Safari browser.

Macaulay's attack on the MacBook came with the aid of Dino Dai Zovi, a security researcher who had been previously credited by Apple for finding flaws in the company's software.  In a telephone interview with CNET, Dai Zovi stated, "The vulnerability and the exploit are mine.  Shane is my man on the ground."  According to the CanSecWest website, there is an exploitable flaw in Safari which can be triggered within a malicious web page.

Apple spokeswoman, Lynn Fox, gave the usual comment on Mac security, "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."

The hack-a-Mac contest consists of two MacBooks set up with their own access point and all security updates installed, but without additional security software.  Contestants will be able to connect to the computers through the access point through Ethernet or Wi-Fi.  According to the website, the two parts of the challenge include finding a flaw that allows the attacker to get a shell with user level privileges, then doing the same and also getting root.

The second OS X box did not get exploited by the second and last day.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

OSX flaw
By jimmiwalker on 4/24/2007 6:05:20 AM , Rating: 2
Well, I don't really see why it's not an OSX flaw that you can exploit the OS through Safari. That means, you can hack the whole system if anything is flawed. Eg. in Vista, applications run with minimal rights, so you achieve basicly nothing by exploiting a browser. Isn't that the way to go for OSX? Why does a browser need more rights than accessing its own config files?




RE: OSX flaw
By Hare on 4/24/2007 6:32:27 AM , Rating: 1
Mac OS X has had advanced user permissions since day one (6 years ago) just like Vista, except OS X requires password confirmation for admin-tasks (unlike vista, where you just click "ok"). Mac OS X is basically a Unix/BSD system with a nice GUI so it's pretty robust.

They didn't get root access so they were only able to execute basic user-level commands. That's enough to read file contents and delete files etc. Not enough to really "nuke" the computer.


RE: OSX flaw
By archermoo on 4/24/2007 11:30:27 AM , Rating: 2
quote:
Mac OS X has had advanced user permissions since day one (6 years ago) just like Vista, except OS X requires password confirmation for admin-tasks (unlike vista, where you just click "ok").


Not quite true for vista. Or I should say only true if you are logged in as an account that is in the Administrators group. If you are logged in as a normal user you have to provide the username and password of an account with Admin access.


"A politician stumbles over himself... Then they pick it out. They edit it. He runs the clip, and then he makes a funny face, and the whole audience has a Pavlovian response." -- Joe Scarborough on John Stewart over Jim Cramer











botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki