Mac easiest to hack, says $10,000 winner

Discussion in 'Computer Support' started by lottwoodard, Apr 21, 2008.

  1. lottwoodard

    lottwoodard Guest

    March 28, 2008 (Computerworld) The security researcher who walked away
    with $10,000 yesterday by hacking a MacBook Air in less than two minutes
    said he chose to attack Apple Inc.'s operating system for one simple

    "It was the easiest one of the three," said Charlie Miller, an analyst at
    Independent Security Evaluators (ISE), a Baltimore-based security
    consultancy. "We wanted to spend as little time as possible coming up with
    an exploit, so we picked Mac OS X."

    On Thursday afternoon, Miller breached a MacBook Air, one of three laptops
    up for grabs in the "PWN to OWN" hacker challenge at CanSecWest, a
    security conference that wraps up today in Vancouver, British Columbia.
    For his efforts, he got the computer and a $10,000 cash prize.

    The MacBook Air was running the current version of Mac OS X, 10.5.2, with
    all the latest security patches applied. The other two computers, a Sony
    Vaio VGN-TZ37CN running Ubuntu 7.10 and a Fujitsu U810 notebook running
    Windows Vista Ultimate SP1, were also up to date and fully patched.

    "We sat down about three weeks ago and decided we wanted to throw our hats
    into the ring," said Miller, referring to himself and ISE colleagues. "It
    took us a couple of days to find something, then the rest of the week to
    work up an exploit and test it.

    "It took us maybe a week altogether," Miller said.

    Because Miller was bound by a nondisclosure agreement with 3Com Corp.'s
    TippingPoint, the security company that ponied up PWN To OWN's cash
    prizes, he was unable to share details of the vulnerability. He did
    confirm, however, that he had exploited a bug in Safari 3.1, the current
    version of Apple's browser.

    The PWN to OWN challenge actually started Wednesday, but the rules for
    that first day required researchers to break into one of the laptops using
    a remote code-execution exploit of a zero-day. At stake: the laptop and
    $20,000. Only one researcher stepped up that day, however, and was

    Yesterday, the computers' exposure to attack was expanded by allowing
    hackers to go after any client-side applications installed by default,
    including Web browsers. Contestants were also allowed to replicate the
    common tactic of duping a user into following a link in an e-mail or
    visiting a malicious Web site. In Miller's case, he had set up a malicious
    Web site; the URL to that site was typed into Safari's address bar.

    "I've had a change of heart," said Miller today. "I used to think server-
    side vulnerabilities were easier to exploit, but now I almost think it's
    easier to exploit the client side. Think about a browser. There's a
    million things it has to do. It has to handle images and video and audio
    and ... that's where the danger is these days."

    Miller, formerly with the National Security Agency, may be best known as
    one of the first to hack Apple's iPhone last summer. In August 2007, he
    also blasted Apple for its sluggish updating of the open-source components
    it uses in its operating system, calling the practice "negligent."

    At the time, Miller said he had found at least one critical vulnerability
    that had been patched in WebKit, the open-source code that powers Safari's
    engine, but integrated into Apple's browser. When pressed whether the
    vulnerability he used yesterday to snap up the $10,000 was a similar bug,
    he sidestepped the question. "The version of WebKit Safari was using
    [before 3.1] was very, very old, but when they switched to 3.1, it's now
    pretty much up to date."

    Apple updated Safari to Version 3.1 two weeks ago, patching 10
    vulnerabilities in the Mac OS X edition, most of them cross-site scripting

    "[Mac OS X] security is better than it was three or four months ago," said
    Miller when asked to characterize Apple's current security status. "... We
    were equally capable of finding [a vulnerability] in Windows if we had
    to," he said.

    TippingPoint, which acquired the vulnerability for its Zero Day Initiative
    bug-bounty program, said yesterday that it has reported the Safari flaw to
    Apple. "Until Apple releases a patch for this issue, neither we nor the
    contestants will be giving out any additional information about the
    vulnerability," TippingPoint said in a statement on its company blog.
    lottwoodard, Apr 21, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.