MacBook Air hacked in security contest
A team of security researchers has won $10,000 for hacking a MacBook Air in two minutes using an undisclosed Safari vulnerability.
IDG News Service is camped out at CanSecWest in lovely Vancouver, Canada, and has chronicled the exploits (gotta love security puns) of Charlie Miller, Jake Honoroff, and Mark Daniel of Independent Security Evaluators during the Pwn to Own contest sponsored by TippingPoint. The team was able to gain control of a MacBook Air on the second day of the hacking competition, which pitted the Air against Windows Vista and Ubuntu machines.
Charlie Miller pwns a MacBook Air at CanSecWest.
(Credit: TippingPoint)No one was able to execute code on any of the systems on Wednesday, the first day of the contest, when hacks were limited to over-the-network techniques on the operating systems themselves. But on the second day, the rules changed to allow attacks delivered by tricking someone to visit a maliciously crafted Web site, or open an e-mail. Hackers were also allowed to target "default installed client-side applications," such as browsers.
The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were "tricked" into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air.
The contest rules stipulated that winners immediately sign a nondisclosure agreement relating to their technique, so that the vulnerability could be disclosed to the vendor, and TippingPoint said Apple has been informed of the vulnerability.
Last year's contest was won by exploiting a QuickTime vulnerability, which was patched by Apple in less than two weeks. As of the time I posted this, no one had gained control of the Vista or Ubuntu machines, but I'll update later as the results come in over the rest of the afternoon.
UPDATED 3/29 11:45am PT - The Vista laptop fell on the last day of the conference. Check out this story for more details.
Tom Krazit writes about the ever-expanding world of Internet search, including Google, Yahoo, online advertising, and portals, as well as the evolution of mobile computing. He has written about traditional PC companies, chip manufacturers, and mobile computers, spending the last three years covering Apple. E-mail Tom. 
Mind you, would mentioning that I'm surprised and a little amused that the Mac got hacked before Vista count as trolling?
Maybe more people were trying to hack it in order to win a Macbook Air?
What's the deal, anyone know? As in, do you win a MBA for hacking the MBA, a Vista machine for hacking the Vista machine?
Or is it just the first guy to hack any machine gets an MBA?
Troll on.
I think we are going to start seeing a lot more security exploits on the Mac OS over the next few years, as it gains popularity.
Hacking a Vista machine is like taking candy from a baby, I
would've gone for the MBA for the challenge and for, well, the MBA.
"I think we are going to start seeing a lot more security exploits on
the Mac OS over the next few years..." Wasn't that something that
was said about the Mac a few years AGO?
into going and doing something which made them vulnerable.
Now granted, its intriguing to find that they got control via the
browser, but let's face it, IE and FireFox will likely have some
security flaw exposed as well. neither OS was penetrated
directly and THAT is the big story. The programmers are at
least, learning to kill potential back doors to someone getting
your information. I use both OS's and I'll be damned if I want
someone arbitrarily hacking my machine.
Of course in the 7 months I've switched to a Mac and the tabs I keep on Mac issues, only cements further why I don't use Safari and use Firefox.
making it sound like it's completely unhackable.
Like MS doesn't say the same thing?
>I think we are going to start seeing a lot more security exploits
on the Mac OS over the next few years, as it gains popularity.
So, you admit that Windows is losing customer base? LOL
hackable without user permission. While this is also true of other
platforms, I always remember that ultimately it's the driver, not the
manufacturer, who's responsible for the safety of their vehicle.
"As fax machines sell more and more, we will see more people sending/receiving faxes"
Are you available for work? I want to hire someone who can tell me what happens as more and more people start moving to the mid-west? Will the population there grow? Or will my theory come true: As the people move west the water will explode. can you help me with my theory. I did notice as people drive on the roads where i live the traffic gets denser. I just can not figure out why.
Wednesday, the first day of the contest, when hacks were limited
to over-the-network techniques on the operating systems
themselves."
So all three systems were unhackable without some "user error"
involved? I mean, duh, if you actually go out and access a
website/URL, you're putting yourself at risk, even if it looks legit.
Time to start teaching people to better identify fraud/scam
URLs. (Although it's nice to have the "hole" patched so that you
can make the user less dangerous to the system.)
Tim G.
used a recently known hole in Safari to execute to attack. Given
this, it could have been done on the Windows computer as well...
but I'm guessing the hackers that won wanted the MBA more than
the Ho-Hum Dell they would have won breaking Windows.
So by Mac being more secure it then becomes less secure. (The security causes it to sell more, increasing its market saturation, therefore making it a more likely target).
I just find it funny that the Mac system is the first to be hacked. What I find funnier is that the fanboys sell it off because "They want the MBA more". Yeah right. I think they want the 10,000 dollars most. It probably took them longer to hack Vista because of the massive amount of bloat slowed the system they were using to a crawl. :)
That must be it. The macbook air is just quick enough that they
were able to execute their code about twice as fast....so if it takes
three days for the vista machine to get hacked, the macbook is still
more secure....:)
Too bad it's not true. All 3 computers sat there idling most of the time.
stolen ideas. What's it like to be on MS's payroll? Oh wait...
Windows fanbois can celebrate all around the world!!
VISTA >>> OSX
LONG LIVE WINDOWS!!
But of course all that is pointless to type because you just want to post stupid comments.
Dude, that's pretty unfair to the other teams.
So, if you ever found a security hole in any OS, don't make it public. Instead, wait for some contest like this, and pocket your money.
little scam. Let the machine sit there and then let's see how
brilliant these guys are. Let is be accessible via internet
connections and not actively going after their scam site and see
how long it takes them to hack the code. We might be talking
about it well into 2100.....
story. There was nothing stated about what the flaw was, what
was the "trick" that "encouraged" the judges to enter the demon
site.
Until more details are reported, one simply cannot determine the
seriousness of the Safari flaw or its ubiquity on Macs (or similar
flaws on other platforms).
Until those details are made available, one should simply keep
quiet.
Most Mac Fanbois think that OS X IS invulnerable.
The rest of Mac and Windows users use caution when using their
computers. As a Mac user I know that no OS is invulnerable and there
WILL come a time when real exploits and viruses hit OSX. However if
OS-X had as many viruses and exploits as Windows I'd still prefer to use
my MBP which runs BOTH Oses simultaneously with little fanfare.
reason why I can't run OS X on a Dell is because Apple won't let me.
You can do VMs under Vista and XP just as easily as under OS X.
lol
http://www.baboo.com.br/absolutenm/articlefiles/31739-hacking_x_2min.jpg
Linux Have vulnerabilities...
Windows Have Vulnerabilities
OSX said they were so secure ... They Too Have Vulnerabilities ..
So When It Comes to Security , Every Operating System Sucks.
Go Use OS/2. No Virus .. And No one Will Hack You
Without applications an OS is useless.
"CNET Cutting 120 Jobs"
A computer user can not be tricked into an exploit. They are either ignorant or know what they are doing. The former has no business using a computer.
Apple installed Safari onto millions of Windows systems by exploiting the average user's ignorance of update methods.
Not everyone is as clever as you are, but I'm not sure I'm ready to condemn the majority of the computer users of the planet so casually.
This sort of attitude is the very reason people are easily duped into clicking on sites. You're too smart to be tricked- until you are because someone is counting on you to react in a specific way and takes advantage of you.
devalue that. Any attempt to do so is just pointless fanboyism.
Apple got pwned fair and square on this one. They'll fix it -
which is good - but neither Vista's nor Ubuntu's possible
security issues change the fact that the MBA got hacked and got
hacked before Vista or Ubuntu (all in default configurations).
Also, the idea that since Safari provided the keyhole the Vista
machine must have been just as vulnerable doesn't really pan
out. Applications will interact with different OSes in different
ways. Therefore, a keyhole application on one OS won't
necessarily provide the same attack vector on another OS. It may
but there is nothing saying that it will.
Lastly, as of today (march 28th) the Ubuntu and Vista machine
are still in the running. http://dvlabs.tippingpoint.com/blog/2008/03/28/pwn-to-
own-final-day-and-wrap-up
It will be interesting to see what the results of today's attacks
are.
because it required the user to initiate the hack. This usually
happens through porn, so, in my opinion, the person deserves
to get hacked and trashed....LOL.
:) Well, the Vista laptop did get taken down, and it looks like
there wasn't really any user input on that one....but it's not
Microsoft, it's adobe on that one.
Kudos to MS, they aren't doing that bad of a job.
But I still like macs better:)
to the have to change the rules to artificially allow the hackers in.
In this case, "tricking" someone to visit a mal-site.
'direct hacks' either. More to the point, in the same conditions that
the Mac was broken neither the Vista or Ubuntu boxes were
compromised. The time line is
Day one: No one (vista, os x, linux) got hacked.
Day two: OS X got pwned.
Day three: Still waiting results.
many questions:
1. Nothing got hacked on day 1. I've heard that no one even
bothered trying, but that's the question - how many people
were actually trying to exploit the 3 machines on day 1?
2. We know the Mac got pwned on day 2, but how many people
were attacking the other 2 machines that day? Did anyone even
bother?
3. Day 3 is upon us, where they can use basically anything to
attack the machine (3rd party software installs allowed). Anyone
still trying? What will the results of that be?
Nothing is perfect security-wise, I think all of us know that. I'll
wager that Apple will fix this problem within a month (it only
took 2 weeks last year to fix the QuickTime exploit used), which
will make all of our Macs safER (emphasis added intentionally).
* Charlie Miller spent (literally) more than a year hunting down vulns in OSX, (and had his website prepared long in advance of the event, as even he admits). Little wonder if the guy withheld a previously-found exploit, only to use it for a quickie bit of monetary gain, ne?
'course, it is still an exploit that needs patched. Also there's the niggling fact that having a 0-day Vista exploit is worth a lot more than $10k to the black market... little wonder that we didn't see any out in the open - yet.
Meanwhile, Ubuntu happily carries on, no sweat.
/P
come naturally to you?
But never reported them to apple? Hackers do that? And those attempting to attack the ubuntu and vista didn't come prepared as well? Just like your "a 13 yr old can hack windows"?
Time to remove the blinders and look at all the facts.
It's nice to see Peng it still up to his old tricks (and there are plenty of people to call him on it). He just doesn't understand that people aren't bashing Apple or Linux; they are bashing HIM for his trolling, arrogance, and non-stop Microsoft hate and everyone who uses their products.
I haven't seen a post from Commander Spock recently. I wonder sometimes if Peng and Commander Spock are the same person... They both share the same distorted reality...
- ummm no
- by pjhenry1216 March 28, 2008 12:21 PM PDT
- they couldn't do this on the windows machine because safari isn't os-installed. safari comes standard on a mac, therefore it was fair game to use on a mac. safari does NOT come standard on a windows pc, therefore the safari exploit could *not* be used on the windows pc. the point of allowing the use of os-installed apps is to determine what's safer out-of-the-box.
- Like this Reply to this comment
-
-
- damn...
- by pjhenry1216 March 28, 2008 12:22 PM PDT
- hit the "reply to story" instead of "reply to comment" button. i *always* do that.
- Like this
-
Showing 1 of 2 pages (112 Comments)this was in response to whoever said that this exploit could have been used on the windows machine too.