Once the second-day rules went into effect for the PWN2OWN competition, allowing browser or email exploits to be used, it didn't take more than a few minutes for Charlie Miller, Jake Honoroff and Mark Daniel from ISE to get their 0day vulnerability to work on the target MacBook Air; they walk away with the laptop and the $10,000 prize.Since the rules of the contest ensure that the vulnerabilities are immediately turned over to the Zero Day Initiative and the vendors are notified, this hole (presumably in Safari, although possibly in QuickTime or Java as last year's was) should be patched in due course, and users are no more or less secure today than they were yesterday. It is a little troubling, however, that the other two laptops (Vista and Ubuntu) are still standing.
[via Engadget]
Reader Comments (Page 1 of 2)
3-28-2008 @ 8:38AM
James Madley said...
Not really troubling. Mac vs. Windows vs. Ubuntu, who promotes security the most?
Just means Macs become the first target in things like this.
Reply
3-28-2008 @ 8:54AM
Todd said...
I wonder if the exploit works when running Safari on the Windows platform.
Reply
3-28-2008 @ 8:55AM
Rob D said...
Not a suprise when everyone wanted the Macbook Air more than any of the other systems. Vista is next then Ubuntu.
Reply
3-28-2008 @ 9:15AM
Todd said...
Or because the guy who won found it the easiest platform to hack. Miller was quoted saying -
"We could have chosen any of those three but had to make a judgement call on which would be the easiest and decided it would be Leopard," Miller said.
and
"Every time I look for [a flaw in Leopard] I find one. I can't say the same for Linux or Windows. I found the iPhone bug a year ago and that was a Safari bug as well. I've also found other bugs in QuickTime."
3-28-2008 @ 12:14PM
iDarbert said...
He was also quoted saying "I use a MacBook all the time and that's what I used in the contest to attack the MacBook Air. I like Macs. That's the reason I went for it; it's in my best interest for them to be as secure as possible."
3-28-2008 @ 12:15PM
Fritz Laurel said...
@Todd: Wait -- dude said he found an iPhone bug a year ago?? iPhone hasn't been out a year yet. Yeah, he's trustworthy.
I agree w/ Rob D, though. Nobody wants Windows or Ubuntu. You can't give that crap away!
3-28-2008 @ 12:42PM
iDarbert said...
Now that you mention it I'm not sure it was so much time ago unless I'm mixing that bug and the TIFF exploit up.
I guess it's Apple's fault to make apps run as root in the iPhone, as a matter of fact they don't do it anymore in 1.1.3 and up.
3-28-2008 @ 9:17AM
Kelmon said...
"It is a little troubling"
It's a bit more that a little troubling. While I feel that the MacBook Air was the highest value system to target (both in terms of resale value and also bragging rights) and I've never said that Macs were secure, that it was compromised in 2-minutes is very worrying. Sure, this vulnerability should never make it into the wild if Apple does their job with the details but you have to wonder how many other vulnerabilities exist. If this turns out to be a Safari-specific issue then this is more likely to encourage me to switch to another browser than anything else.
2-minutes....bloody hell.
Reply
3-28-2008 @ 11:22AM
KeynoteKen said...
And you can bet there are other vulnerabilities that this guy knows about, but where's the impetus to say anything about them if he's got a good chance of winning another Mac next year? :)
3-28-2008 @ 9:27AM
dan said...
Vista...security...Vista...security...Vista...security. No matter how many times I say it, it still doesn't sound right, but I guess the proof is in the pudding?
Reply
3-28-2008 @ 9:31AM
Rich said...
A couple of points to make on this:
The hacks were only allowed on previously unknown weakness. So all the known weaknesses in Windows and Mac OS were out of bounds.
The 2 minutes is the time it took the guy to tell someone else to go to a particular website that exploited the weakness. He probably spent days in advance of this event looking for the weakness and creating a way of exploiting it.
Reply
3-28-2008 @ 9:34AM
h8rain said...
That is what I was thinking. The site with the code (and relevant hack) was already done. On the other hand, why not do that yesterday? So that that be 1 day, two minutes, since he could not have the laptop visit the site?
3-28-2008 @ 9:47AM
Michael Rose said...
H8rain, the rules change between day 1 and day 2 of the competition. On Day 1 they had to find a pure network vector -- no URLs, no local user interaction, just hitting the machine over the wire, and since this is much more challenging nobody was able to pull it off. Day 2 rules allowed a malicious URL or other interaction.
3-28-2008 @ 9:31AM
Eideard said...
Which version of Safari were they running? Did the OS include this week's security update?
Reply
3-28-2008 @ 9:45AM
Michael Rose said...
Everything was patched to current levels, so 10.5.2 and Safari 3.1
3-28-2008 @ 9:37AM
2shae said...
Though there aren't many real life threads out there, Apple has to really spend some more time into security flaws (although I know that's what they are doing right now, hence all the updates).
I'm not saying Microsoft has a secure products, but they are years ahead of patching vulnerabilities and so is Linux btw.
Reply
3-28-2008 @ 10:14AM
WiLLGT09 said...
Can someone explain to me why it seems that Safari or QuickTime (especially QT, even in Windows) always have huge security flaws in them? What makes these apps/technology more susceptible to bugs/security holes? Just curious.
Reply
3-28-2008 @ 11:38AM
potato said...
IMHO it's because Apple got complacent in their security. Where Windows gets hounded every second of the day for its poor security, Apple hasn't, and a result one company has done something about it... and the other is hacked :P
3-28-2008 @ 12:19PM
Fritz Laurel said...
Because they actively connect to other systems while walking the fine line between a "rich" user experience and security.
3-28-2008 @ 10:18AM
LD said...
So....does simply visiting the website cause the exploit in and of itself? Or is there some other action needed? Such as clicking "yes" or entering your sudo password?
And what does "take over" mean?
I haven't found an article that goes into detail on what actually happened.
Reply