One Mac hack bounty claimed, one to go
No sooner said... the first half of the CanSecWest MacBook Pro hack challenge has been won, with an exploit that uses a malicious webpage to gain a user-level shell via Safari. The second challenge, requiring root access on the target machine, has yet to be won (and requires the use of a different exploit). As far as we know right now, this is a zero-day exploit without a known patch. (Grrr.)It's worth mentioning the elephant in the room for this contest: where was the $10,000 bounty for a similar takeover of a Windows XP or Vista stock patched configuration? It wouldn't have taken a day, that much is certain.
More news as it comes... thanks to our vigilant commenters for the link.
graphic: Sebastiaan de With
[via Matasano]
Share
Categories
No sooner said... the first half of the CanSecWest MacBook Pro hack challenge has been won, with an exploit that uses a malicious webpage...
Add a Comment
Mitcho --
a) I'm a blogger, not a journalist; I'm sorry you don't approve of my failure to cite sources, but that line about XP and Vista was something we bloggers call "opinion & hyperbole."
b) http://www.google.com/search?q=vista+exploit
c) The reason for the contest in the first place was to gain publicity and point out security weaknesses in the Mac platform. There's no publicity boost for doing the same on Windows because there's nothing special or unusual about a Windows exploit; they are tragically common.
It may be tired and hackneyed to mention Windows security in the same breath as Mac OS X security, but these are the top two consumer platforms and it's the only comparison in town. If Microsoft's increased investment in security pays off and malware becomes extinct on that platform -- or if there's parity between Mac and Windows risk profiles -- we'll cover that too.
What surprised me in reading up on the attack is that this is supposedly a Firefox vulnerability too.
April 22 2007 at 10:52 AM Report abuse Permalink rate up rate down Reply"Where was the $10,000 bounty for a similar takeover of a Windows XP or Vista stock patched configuration? It wouldn't have taken a day, that much is certain."
What is your source for this? An identical competition was not set up for Vista, so we wouldn't know. And even if you have a good reason to say this, you've got to cite your source--this is just poor journalism.
These are the kinds of comments that get us loyal Mac users blanketed as idolaters. Michael Rose, I'm very disappointed.
I emailed you guys about the icon used for the article, please read it ;)
Anyway, I did some commenting on digg about this. I am quite unsatisfied with the quality that goes into these 'hackathons' lately. I find it a good example of the security of a Mac. Although details are sparse, I hope this gets some documentation soon.
oh no! The precious Mac OS X image is being tainted, throw out some irrelevent comment about Windows to make us all feel better.
Dont get me wrong, Mac OS X is a better OS all around, but does anyone really believe any OS is perfect. With greater market share and popularity comes greater interest in exploit. I predict this is only the beginning.
Welcome to the social.
Please show me where it says "...these machines were patched with Thursday's update prior to the challenge."
All I can find in the article is where it says "...the latest security patches have been applied." Whatever that means.
In any case I'm really glad I rarely if ever use Safari.
$10,000 + MacBook Pro.. Wow!
April 21 2007 at 8:05 AM Report abuse Permalink rate up rate down ReplyDude! Check this out: http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore
April 21 2007 at 12:18 AM Report abuse Permalink rate up rate down ReplyA few simple preventative steps can go a long way.
It's best to not run as admin for your everyday user, because you can almost always authenticate when you actually need admin privileges. The greater your user level, the greater potential for damage caused by malicious code.
Definitely turn off automatic opening of "safe" downloaded files in your browser preferences, whichever browser you use.
Hot Apps on TUAW
Deals of the Day
more deals- Refurb Apple MacBook Air Laptops: 12" 64GB SSD for $699 + free shipping
- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
- Apple iPhone Headset with Mic for $4 + $2 s&h
- miFrame Picture Frame Dock for iPad for $64 + $8 s&h
- Refurb Apple iPod nano 8GB MP3 Player for $99 + free shipping, 16GB for $119
- Hannspree Apple-Shaped 28" 1080p LCD HDTV for $270 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3



16 Comments