It took two minutes for a team of security researchers to seize control of a MacBook Air and walk away with $10,000 in prize money for doing so. The annual Pwn to Own contest pitted the MacBook Air against Windows Vista and Ubuntu machines, and all three made it through the first day when hacks were limited to over-the-network techniques.
But on day two, the rules changed in the contest to allow attacks to be delivered by tricking someone to open a maliciously coded web site or email. Charlie Miller, Jake Honoroff, and Mark Daniel quickly gained control of the MacBook using a newly discovered zero-day vulnerability in Safari.
The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were “tricked” into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air.
Last year’s winners of the contest exploited a Quicktime vulnerability which, to Apple’s credit, was patched within two weeks. The contest rules stipulate that winners immediately sign a nondisclosure agreement relating to their technique, so that the vulnerability could be disclosed to the vendor, and TippingPoint said Apple has been informed of the vulnerability.
I know I’m beating a dead horse here, but I’m still trying to pick a fight with the Apple faithful to have them argue with me that Macintosh systems are more secure than Windows systems. Come on, bring it fan-boys! (and fan-girls!)
When not referring to himself in the third person, Brian likes rain and getting caught in Pina Coladas. Oh, and let's not forget making love to Cape dunes. Yeah, those really do it for me....er, um.. I mean Brian.
April 1st, 2008 at 4:01 pm
very very true. They are safe only because nobody deems it useful to mess with them. I saw another article somewhere that said Microsoft if the best at patching security holes, ubuntu next and THEN apple. Who says apples cant get worms!