Once the second-day rules went into effect for the PWN2OWN competition, allowing browser or email exploits to be used, it didn't take more than a few minutes for Charlie Miller, Jake Honoroff and Mark Daniel from ISE to get their 0day vulnerability to work on the target MacBook Air; they walk away with the laptop and the $10,000 prize.

Since the rules of the contest ensure that the vulnerabilities are immediately turned over to the Zero Day Initiative and the vendors are notified, this hole (presumably in Safari, although possibly in QuickTime or Java as last year's was) should be patched in due course, and users are no more or less secure today than they were yesterday. It is a little troubling, however, that the other two laptops (Vista and Ubuntu) are still standing.

[via Engadget]

If you fondly remember last year's CanSecWest hacking challenge -- won by researcher Dino Dai Zovi with a Java/QuickTime exploit that allowed him to take over the target MacBook Pro, thereby claiming it as his own -- you'll want to keep your ears open for results of the current challenge, now underway for the 2nd day in Vancouver. This year's PWN2OWN competition extends the target space to three road warrior laptops: a MacBook Air, a Sony VAIO running Ubuntu and a Fujitsu machine running Vista.

No winners were declared on the first day; that's no surprise to contest organizers, as the initial set of rules were the most restrictive. Today the ruleset allows for browser and other built-in application exploits by visiting a malicious URL, so it could get more exciting in a hurry.

Update: The MacBook Air has been claimed, per Macworld.

[via Macworld]

Over at Daring Fireball John Gruber interviews Dino Dai Zovi, who won the CanSecWest security contest we mentioned last week by successfully exploiting a MacBook Pro through a flaw in QuickTime's implementation of Java. Dai Zovi explains the sort of thing he did (though obviously without giving details). He is a Mac user himself and confirms what we noted before that you can defend yourself by disabling Java in your browsers. Dai Zovi's main advice for the "typical" user is merely to run in a non-admin account. It's definitely worth a read for anybody curious about the exploit.

According to Matasano (home base for security researcher Dino Dai Zovi), the announced-but-unreleased web browser exploit that was used to win the CanSecWest MacBook Pro challenge involves browser support for Java. Turn off Java for Safari (or Firefox, or Camino) and your machine is immune.

Let's take a moment to note, before frantically shutting down all the garbage mashers on the detention level, that this is an unreleased exploit and there is no expectation of it going wild; it's in the care and feeding of the Zero Day Initiative now and notification to Apple, Sun (Java) and other affected parties will be handled professionally. The only real-world risk is if some clever soul manages to find the same unpublished vulnerability that Dai Zovi did and pairs it with a malicious payload. Personally, I use Java for a couple of work purposes, but I can presumably leave it on in one browser for those specific pages and do my general browsing with another, Java-disabled browser... that is, I would, if I was paranoid.

There are plenty of other ways to improve your Mac security, most listed via this post. Top three: turn on the firewall, run as a normal user, and turn off wireless (at least, turn off automatic connection to open networks). Apple's guide to Tiger security is also available as a PDF here.

No sooner said... the first half of the CanSecWest MacBook Pro hack challenge has been won, with an exploit that uses a malicious webpage to gain a user-level shell via Safari. The second challenge, requiring root access on the target machine, has yet to be won (and requires the use of a different exploit). As far as we know right now, this is a zero-day exploit without a known patch. (Grrr.)

It's worth mentioning the elephant in the room for this contest: where was the $10,000 bounty for a similar takeover of a Windows XP or Vista stock patched configuration? It wouldn't have taken a day, that much is certain.

More news as it comes... thanks to our vigilant commenters for the link.

graphic: Sebastiaan de With

[via Matasano]