Filed under: Security
MacBook Air knocked out quickly in CanSecWest contest
Once the second-day rules went into effect for the PWN2OWN competition, allowing browser or email exploits to be used, it didn't take more than a few minutes for Charlie Miller, Jake Honoroff and Mark Daniel from ISE to get their 0day vulnerability to work on the target MacBook Air; they walk away with the laptop and the $10,000 prize.Since the rules of the contest ensure that the vulnerabilities are immediately turned over to the Zero Day Initiative and the vendors are notified, this hole (presumably in Safari, although possibly in QuickTime or Java as last year's was) should be patched in due course, and users are no more or less secure today than they were yesterday. It is a little troubling, however, that the other two laptops (Vista and Ubuntu) are still standing.
[via Engadget]

![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)


Reader Comments (Page 1 of 2)
James Madley said 8:38AM on 3-28-2008
Not really troubling. Mac vs. Windows vs. Ubuntu, who promotes security the most?
Just means Macs become the first target in things like this.
Reply
Todd said 8:54AM on 3-28-2008
I wonder if the exploit works when running Safari on the Windows platform.
Reply
Rob D said 8:55AM on 3-28-2008
Not a suprise when everyone wanted the Macbook Air more than any of the other systems. Vista is next then Ubuntu.
Reply
Todd said 9:15AM on 3-28-2008
Or because the guy who won found it the easiest platform to hack. Miller was quoted saying -
"We could have chosen any of those three but had to make a judgement call on which would be the easiest and decided it would be Leopard," Miller said.
and
"Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in QuickTime."
iDarbert said 12:14PM on 3-28-2008
He was also quoted saying "I use a MacBook all the time and that's what I used in the contest to attack the MacBook Air. I like Macs. That's the reason I went for it; it's in my best interest for them to be as secure as possible."
Fritz Laurel said 12:15PM on 3-28-2008
@Todd: Wait -- dude said he found an iPhone bug a year ago?? iPhone hasn't been out a year yet. Yeah, he's trustworthy.
I agree w/ Rob D, though. Nobody wants Windows or Ubuntu. You can't give that crap away!
iDarbert said 12:42PM on 3-28-2008
Now that you mention it I'm not sure it was so much time ago unless I'm mixing that bug and the TIFF exploit up.
I guess it's Apple's fault to make apps run as root in the iPhone, as a matter of fact they don't do it anymore in 1.1.3 and up.
Kelmon said 9:17AM on 3-28-2008
"It is a little troubling"
It's a bit more that a little troubling. While I feel that the MacBook Air was the highest value system to target (both in terms of resale value and also bragging rights) and I've never said that Macs were secure, that it was compromised in 2-minutes is very worrying. Sure, this vulnerability should never make it into the wild if Apple does their job with the details but you have to wonder how many other vulnerabilities exist. If this turns out to be a Safari-specific issue then this is more likely to encourage me to switch to another browser than anything else.
2-minutes....bloody hell.
Reply
KeynoteKen said 11:22AM on 3-28-2008
And you can bet there are other vulnerabilities that this guy knows about, but where's the impetus to say anything about them if he's got a good chance of winning another Mac next year? :)
dan said 9:27AM on 3-28-2008
Vista...security...Vista...security...Vista...security. No matter how many times I say it, it still doesn't sound right, but I guess the proof is in the pudding?
Reply
Rich said 9:31AM on 3-28-2008
A couple of points to make on this:
The hacks were only allowed on previously unknown weakness. So all the known weaknesses in Windows and Mac OS were out of bounds.
The 2 minutes is the time it took the guy to tell someone else to go to a particular website that exploited the weakness. He probably spent days in advance of this event looking for the weakness and creating a way of exploiting it.
Reply
h8rain said 9:34AM on 3-28-2008
That is what I was thinking. The site with the code (and relevant hack) was already done. On the other hand, why not do that yesterday? So that that be 1 day, two minutes, since he could not have the laptop visit the site?
Michael Rose said 9:47AM on 3-28-2008
H8rain, the rules change between day 1 and day 2 of the competition. On Day 1 they had to find a pure network vector -- no URLs, no local user interaction, just hitting the machine over the wire, and since this is much more challenging nobody was able to pull it off. Day 2 rules allowed a malicious URL or other interaction.
Eideard said 9:31AM on 3-28-2008
Which version of Safari were they running? Did the OS include this week's security update?
Reply
Michael Rose said 9:45AM on 3-28-2008
Everything was patched to current levels, so 10.5.2 and Safari 3.1
2shae said 9:37AM on 3-28-2008
Though there aren't many real life threads out there, Apple has to really spend some more time into security flaws (although I know that's what they are doing right now, hence all the updates).
I'm not saying Microsoft has a secure products, but they are years ahead of patching vulnerabilities and so is Linux btw.
Reply
WiLLGT09 said 10:14AM on 3-28-2008
Can someone explain to me why it seems that Safari or QuickTime (especially QT, even in Windows) always have huge security flaws in them? What makes these apps/technology more susceptible to bugs/security holes? Just curious.
Reply
potato said 11:38AM on 3-28-2008
IMHO it's because Apple got complacent in their security. Where Windows gets hounded every second of the day for its poor security, Apple hasn't, and a result one company has done something about it... and the other is hacked :P
Fritz Laurel said 12:19PM on 3-28-2008
Because they actively connect to other systems while walking the fine line between a "rich" user experience and security.
LD said 10:18AM on 3-28-2008
So....does simply visiting the website cause the exploit in and of itself? Or is there some other action needed? Such as clicking "yes" or entering your sudo password?
And what does "take over" mean?
I haven't found an article that goes into detail on what actually happened.
Reply