MacBook Air knocked out quickly in CanSecWest contest
Once the second-day rules went into effect for the PWN2OWN competition, allowing browser or email exploits to be used, it didn't take more than a few minutes for Charlie Miller, Jake Honoroff and Mark Daniel from ISE to get their 0day vulnerability to work on the target MacBook Air; they walk away with the laptop and the $10,000 prize.Since the rules of the contest ensure that the vulnerabilities are immediately turned over to the Zero Day Initiative and the vendors are notified, this hole (presumably in Safari, although possibly in QuickTime or Java as last year's was) should be patched in due course, and users are no more or less secure today than they were yesterday. It is a little troubling, however, that the other two laptops (Vista and Ubuntu) are still standing.
[via Engadget]
Share
Categories
Once the second-day rules went into effect for the PWN2OWN competition, allowing browser or email exploits to be used, it didn't take more...
Add a Comment
I agree with FD when he says "It amazes me how people say it won't happen to them as long as they don't click on a shady link."
Do you think rickrolling would be such a big phenomenon if most people knew what they were clicking on?
The downfall of many is their own arrogance. Making excuses for this incident and making it seem like it's no big deal just plays into Apple's hands. Why would they have to rush to fix this or improve their products if no one cares or wants to believe that a weakness has been exposed.
Let me say this, if Vista were hacked in 2 minutes, it would be a feather in our cap and we'd bring it up every chance we get to stick it to windows users.
It amazes me how people say it won't happen to them as long as they don't click on a shady link.
Get your head out of the sand. You honestly think this would only be deployed on some obscure unknown site? This code can be up on any site, forum, ...
Hack into a web server. Deploy the script on a page with the scoop on the next macbook pro or a supposed spy photo gallery of some secret upcoming product. Watch all the Mac heads visit. By the time they viewed the video, studied the photos, read the story, commented or whatever ... someone has gained access to their hard drive!
Wake up and smell the coffee.
The exploit was pre-coded by Miller, and two other co-workers from Independent Security Evaluators. It took several weeks to code, but isn't as headline grabbing as saying it fell in two minutes....
March 28 2008 at 5:32 PM Report abuse Permalink rate up rate down ReplyFor hackers, I don't think doing the easiest hack just to get the money is the point. The mac would provide the most bragging rights and the best free computer, the Air. So I'm not surprised they went after that one first, but not because it was the easiest.
Who wants a Vista laptop as their prize, lol.
Get out of the Steve Jobs distortion field and see reality!!
IMHO, Apple only pays lip service to Security. Apple only cares that that the public still believes in the myth that Apple computers are more secure than other platforms. As this contest demonstrates, Macs are not that secure.
I do hope Apple starts to take security more seriously and starts patching more often and quickly. But when the Open Source community patches software used in OS X and Apple takes it sweet this time to incorporate this updated software into OS X, I am not that optimistic that Apple will change anytime soon. Pity.
I don't know... frankly they could just brag about not having viruses (like on the new ads), but then why would they introduce library randomization, warnings every time you open a application just downloaded, code signing, detection of excecutable in download archives on top of releasing the security updates while Microsoft just gave up and decided to deliver periodic updates instead of "when-required" updates.
It may be exagerated sometimes, but I don't think that Apple's concern on security is just a fachade.
The only real target? This is for a $10k prize. You don't go after the most difficult target. You go after the easiest one so you get the money.
March 28 2008 at 2:21 PM Report abuse Permalink rate up rate down ReplyThe Mac was the only real target. The other systems will fall even
easier. This hack was made up a while ago, I'd bet.
I discuss it more here:
http://gregstechblog.blogspot.com/2008/03/macbook-air-hacked.html
What part are you discussing more via the link? All I found was a very brief recap of the same information...
March 28 2008 at 1:41 PM Report abuse Permalink rate up rate down ReplyI suppose this:
"I suspect he's been planning this for a while, since as soon as they were allowed to hack through web apps, he was able to get in in 2 mins.
Just goes to show you, not even Macs are 100% safe."
I guess tuaw did get a lot of the same info.
It'll be interesting to see if this is something like a lib_tiff exploit, and not in any way related to OSX other than it uses the lib_tiff (Or whatever package has the flaw) library. Or if it's an issue directly with OSX and code Apple wrote.
March 28 2008 at 12:50 PM Report abuse Permalink rate up rate down ReplySo as long as I (a) don't use Safari, but instead run Camino, Firefox, Shiira, iCab, Opera or whatever, and (b) don't click sketchy links, I shouldn't have a problem?
You'll pardon me if I'm _not_ particularly disturbed.
Agreed. However, it is the other 80% that the software developers need to protect. The average user wants to buy a computer and use the software that comes with it. They don't want to hunt for "safer" applications because their assumption is that what comes with their new computer should do the trick. My parents and my in-laws are in that 80%. No matter how many times I try to educate them on safer computing practices I still end up getting the call when they fall prey to these sort of exploits. It's just not enough to say be careful and research because the average user shouldn't have to.
March 28 2008 at 11:47 AM Report abuse Permalink rate up rate down ReplyYou can use Safari. Just don't click on links if you don't know where they go. None of these vulnerabilities can be exploited without user interaction, i.e. social engineering. If they could be, it would have been done on the first day of the contest.
March 28 2008 at 11:49 AM Report abuse Permalink rate up rate down ReplySo....does simply visiting the website cause the exploit in and of itself? Or is there some other action needed? Such as clicking "yes" or entering your sudo password?
And what does "take over" mean?
I haven't found an article that goes into detail on what actually happened.
LD --
Details on the mechanism of the exploit are deliberately kept under wraps until Apple has a chance to patch it, that's the idea behind the ZDI.
The contest details are at the Tipping Point blog linked in the post. The basic idea is that the attacker has to be able to read a file on the desktop for instructions to claim the prize. The attackers, under day 2 rules, could send an email to be read in the default email client, links to be clicked in the default browser, etc.
So basically the goal was to read a file from the current user's desktop, but without running any application, only by making the user visit (through a email link) a malicious script on a web page.
For a secondo I thought it was like the "rm -rf my Mac" contest where they had to obtain higer access first.
Well it's interesting anyway. I wonder if they'll ever manage to do hacking via eMail the Outlook Express way in OSX, that would be major.
It's nice to have such a talented guy in "our side", better him than some random cracker.
Though I can't help but feel like this whole "2 minutes/30 seconds/when I look for flaws I can always find them" is just publicity stunt. Well... the last one is probably because he knows the Mac OS X platform very well.
Hot Apps on TUAW
Deals of the Day
more deals- Sony Dock 20W Speaker System for iPhone / iPod for $51 + $15 s&h
- Soulo Karaoke App and Wireless Mic for iPhone / iPad for $80 + free shipping
- Verizon Leather Sleeve for Tablets for $4 + free shipping
- Wicked Jaw Breaker Noise-Isolating In-Ear Headphones for $6 + free shipping
- Refurb Apple MacBook Air Laptops: 12" 64GB SSD for $699 + free shipping
- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
36 Comments