Filed under: Security
CanSecWest offers another Mac hacking challenge
If you fondly remember last year's CanSecWest hacking challenge -- won by researcher Dino Dai Zovi with a Java/QuickTime exploit that allowed him to take over the target MacBook Pro, thereby claiming it as his own -- you'll want to keep your ears open for results of the current challenge, now underway for the 2nd day in Vancouver. This year's PWN2OWN competition extends the target space to three road warrior laptops: a MacBook Air, a Sony VAIO running Ubuntu and a Fujitsu machine running Vista.No winners were declared on the first day; that's no surprise to contest organizers, as the initial set of rules were the most restrictive. Today the ruleset allows for browser and other built-in application exploits by visiting a malicious URL, so it could get more exciting in a hurry.
Update: The MacBook Air has been claimed, per Macworld.
[via Macworld]
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
InfiniteMac said 10:53AM on 3-27-2008
Looking forward to see a winner. :-)
http://osx.kbot.de
Reply
Elias said 11:35AM on 3-27-2008
Hmm... Microsoft seems to be one of the top sponsors of this event.
Reply
Michael said 12:41PM on 3-27-2008
Really?
Perhaps this explains it. From the link:
"You hack it, you get to keep it."
They reckon they're safe, because who'd want the Vista machine when you could get to take away a MacBook Air or a Vaio running Ubuntu?
LOL
sng said 1:19PM on 3-27-2008
Elias,
I meet last years winner the day after he won. He was pumped, dude was a huge Apple fan as are many others who attend. And don't forget we got a few really good patches out of last years event. This is very much a win/win for Apple users. And, trust me, there ain't much MS love in that room and it would be a mistake to assume that their sponsorship gives them any pull with the event in general. Shame I can't make it up there this year.
Reply
Macfan said 1:46PM on 3-27-2008
Air will be the first target, to bring down that high and mighty Apple feeling and for the challenge.
Reply
Zak said 2:34PM on 3-27-2008
Hopefully if somebody does it this year they'll also report HOW it was done, unlike last year. Last year all the web sites just said "MAC HACKED OMGZ0RS". In reality, the guy had local access to the Mac and somebody had to physically upload a file to the Mac and run it, which requires local admin access. Honestly, at that point you could run the system CD and change the admin password and call it a "hack". Or just walk off with it.
Reply
sng said 3:06PM on 3-27-2008
Zak,
The fact that Apple produced several patches as a direct result of the information gained from last years would, pretty much, prove you wrong.
http://daringfireball.net/2007/04/interview_dino_dai_zovi
Reply
Michael said 5:22PM on 3-27-2008
The MacBook's gone. Dr. Miller got it:
http://www.macworld.com/article/132733/2008/03/hack.html
Reply
Chris McDonald said 2:59AM on 3-28-2008
Yes, a little "surprising" that no article appeared on TUAW about that. ?
Michael said 7:48AM on 3-28-2008
I expect TUAW will note it later.
The Microsoft fans were out in force at /. crowing about it. I don't know how much it really says about OS X vs. Vista. So Vista is pretty secure compared to XP, and IE runs in a protected mode and all that. But maybe some of the difference is Miller himself -- he seems re-hot -- and which OS he was interested in looking at in his preparation. If he were really interested in breaking Vista ...
But then again, perhaps not; and I do know Miller has himself had a paper saying there is plenty there to exploit in OS X.
In any event, I'm not about to sell my Mac and buy a Vista machine.
But I do hope Apple makes security a top priority before their market share increases.
Reply
Todd said 8:04AM on 3-28-2008
Miller is quoted in other articles saying he is an Apple fan and used a MacBook at the event. Unfortunately, he said he chose to hack the air first because:
- "Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in QuickTime."
Reply