Skip to Content

Submit your nominations for the Luxist Awards' Best in Decor
AOL Tech

cansecwest posts

Filed under: Security

There's a hole in Safari, dear Liza

by Victor Agreda, Jr. (RSS feed) on Mar 19th, 2009


Update: Thanks as well to everyone who pointed out that we got our sources mixed up! The article linked is the 2007 CanSecWest, and we apologize for the confusion. The winner of the 2009 competition was Charlie Miller (sorry Charlie), and you can read more about this year's competition here -- IE8 and Firefox have also been compromised in the competition. If you're curious about the state of Mac security and exploitation, be sure to check out Dino Dai Zovi's presentation here.
Special thanks to Chris von Eitzen at The H, and to everyone else who let us know!

---

Another year, another Pwn2Own at CanSecWest and Safari falls... in a short time. Well, to be fair, Safari fell after 24 hours and "... a couple of seconds" give or take a few. On day two of the event the "attack surface" widens -- that is, hackers are given more ways to hijack the machine. In this case, it wound up being a hole in Safari. As the barrier was lowered, an email was sent to the judges, who clicked on it, and that link took them to a special page that exploited the vulnerability. The exploit was discovered by Dino Dai Zovi who, "wrote the exploit overnight in about 9 hours" as MacDailyNews reports. Dino was assisted on the ground by Shane Macaulay. As yet, we haven't seen this in the wild and the hole has been properly disclosed to Apple.

As Download Squad notes, Firefox and Internet Explorer 8 were taken down some time later. Before declaring Safari "less secure" then those browsers, it is important to note that the hole has been reported to Apple, who need only issue a patch to fix it. Further, the exploit that took Dino 9 hours to write isn't publicly available. That said, it stresses the importance of installing browser patches and security updates for your machine. The best part about finding these exploits at events like CanSecWest is that they help make Safari, and every other browser, more secure.

Thanks to everyone who sent this in!


Tags: cansecwest, safari, security, vulnerability

Filed under: Security

MacBook Air knocked out quickly in CanSecWest contest

by Michael Rose (RSS feed) on Mar 28th, 2008

Once the second-day rules went into effect for the PWN2OWN competition, allowing browser or email exploits to be used, it didn't take more than a few minutes for Charlie Miller, Jake Honoroff and Mark Daniel from ISE to get their 0day vulnerability to work on the target MacBook Air; they walk away with the laptop and the $10,000 prize.

Since the rules of the contest ensure that the vulnerabilities are immediately turned over to the Zero Day Initiative and the vendors are notified, this hole (presumably in Safari, although possibly in QuickTime or Java as last year's was) should be patched in due course, and users are no more or less secure today than they were yesterday. It is a little troubling, however, that the other two laptops (Vista and Ubuntu) are still standing.

[via Engadget]

Tags: 0day, cansecwest, macbook air, MacbookAir, pwn2own, pwnd, security

Filed under: Security

CanSecWest offers another Mac hacking challenge

by Michael Rose (RSS feed) on Mar 27th, 2008

If you fondly remember last year's CanSecWest hacking challenge -- won by researcher Dino Dai Zovi with a Java/QuickTime exploit that allowed him to take over the target MacBook Pro, thereby claiming it as his own -- you'll want to keep your ears open for results of the current challenge, now underway for the 2nd day in Vancouver. This year's PWN2OWN competition extends the target space to three road warrior laptops: a MacBook Air, a Sony VAIO running Ubuntu and a Fujitsu machine running Vista.

No winners were declared on the first day; that's no surprise to contest organizers, as the initial set of rules were the most restrictive. Today the ruleset allows for browser and other built-in application exploits by visiting a malicious URL, so it could get more exciting in a hurry.

Update: The MacBook Air has been claimed, per Macworld.

[via Macworld]

Tags: cansec, cansecwest, hacking, macbook air, MacbookAir

Filed under: Security

Gruber interviews CanSecWest winner

by Mat Lu (RSS feed) on Apr 27th, 2007

Over at Daring Fireball John Gruber interviews Dino Dai Zovi, who won the CanSecWest security contest we mentioned last week by successfully exploiting a MacBook Pro through a flaw in QuickTime's implementation of Java. Dai Zovi explains the sort of thing he did (though obviously without giving details). He is a Mac user himself and confirms what we noted before that you can defend yourself by disabling Java in your browsers. Dai Zovi's main advice for the "typical" user is merely to run in a non-admin account. It's definitely worth a read for anybody curious about the exploit.

Tags: cansecwest, daringfireball, security

Filed under: Security

More on the CanSecWest exploit and Java

by Michael Rose (RSS feed) on Apr 23rd, 2007

According to Matasano (home base for security researcher Dino Dai Zovi), the announced-but-unreleased web browser exploit that was used to win the CanSecWest MacBook Pro challenge involves browser support for Java. Turn off Java for Safari (or Firefox, or Camino) and your machine is immune.

Let's take a moment to note, before frantically shutting down all the garbage mashers on the detention level, that this is an unreleased exploit and there is no expectation of it going wild; it's in the care and feeding of the Zero Day Initiative now and notification to Apple, Sun (Java) and other affected parties will be handled professionally. The only real-world risk is if some clever soul manages to find the same unpublished vulnerability that Dai Zovi did and pairs it with a malicious payload. Personally, I use Java for a couple of work purposes, but I can presumably leave it on in one browser for those specific pages and do my general browsing with another, Java-disabled browser... that is, I would, if I was paranoid.

There are plenty of other ways to improve your Mac security, most listed via this post. Top three: turn on the firewall, run as a normal user, and turn off wireless (at least, turn off automatic connection to open networks). Apple's guide to Tiger security is also available as a PDF here.

Tags: cansecwest, exploit, hacks, matasano, security

Filed under: Security

One Mac hack bounty claimed, one to go

by Michael Rose (RSS feed) on Apr 20th, 2007

No sooner said... the first half of the CanSecWest MacBook Pro hack challenge has been won, with an exploit that uses a malicious webpage to gain a user-level shell via Safari. The second challenge, requiring root access on the target machine, has yet to be won (and requires the use of a different exploit). As far as we know right now, this is a zero-day exploit without a known patch. (Grrr.)

It's worth mentioning the elephant in the room for this contest: where was the $10,000 bounty for a similar takeover of a Windows XP or Vista stock patched configuration? It wouldn't have taken a day, that much is certain.

More news as it comes... thanks to our vigilant commenters for the link.

graphic: Sebastiaan de With

[via Matasano]

Tags: cansecwest, hack, security

Tip of the Day

Use Spotlight as a reference tool. Type any word in the Spotlight box and one of the top entries will be a definition. Click on it, and it will bring up the dictionary application to check the word in either the dictionary, thesaurus, Apple database, or Wikipedia.

Learn More

Follow us on Twitter!

TUAW flickr Pool

www.flickr.com
 TUAW [Cafepress]

Featured Galleries

DNC Macs
Macworld 2008 Keynote
Macworld 2008 Build-up
Google Earth for iPhone
Podcaster
Storyist 2.0
AT&T Navigator Road Test
Bento for iPhone 1.0
Scrabble for iPhone
Tom Bihn Checkpoint Flyer Briefcase
Apple Vanity Plates
Apple booth Macworld 07
WorldVoice Radio
Quickoffice for iPhone 1.1.1
Daylite 3.9 Review
DiscPainter
Mariner Calc for iPhone
2009CupertinoBus
Crash Bandicoot Nitro Kart 3D
MLB.com At Bat 2009
Macworld Expo 2007 show floor

 

Most Commented On (7 days)

Recent Comments

More Apple Analysis

More from AOL Money and Finance

AOL Radio TUAW on Stitcher