Gone in 2 minutes: Mac gets hacked first in contest
It may be the quickest $10,000 Charlie Miller ever earned.
He took the first of three laptop computers — and a $10,000 cash prize — Thursday after breaking into a MacBook Air at the CanSecWest security conference’s PWN 2 OWN hacking contest.
Show organizers offered a Sony Vaio, Fujitsu U810 and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system, using a previously undisclosed “0day” attack.
Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.
The MacBook was the only system to be hacked by Thursday, however, the word on the show floor is that the Linux and Vista systems will meet with some serious challenges on Friday.
Miller, a former National Security Agency employee best known as one of the researchers who first hacked Apple’s iPhone last year, didn’t take much time. Within 2 minutes, he directed the contest’s organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.
He was the first contestant to attempt an attack on any of the systems.
Miller was quickly given a nondisclosure agreement to sign and he’s not allowed to discuss particulars of his bug until the contest’s sponsor, TippingPoint, can notify the vendor.
Contest rules state that Miller could only take advantage of software that was pre-installed on the Mac, so the flaw he exploited must have been accessible, or possibly inside, Apple’s Safari browser.
By late Thursday, Apple engineers were already working on patching the issue, said Aaron Portnoy, a TippingPoint researcher who is one of the contest’s judges.
Miller’s $10,000 payday may sound sweet, but it’s not the most Miller has been paid for his work. In 2005, he earned $50,000 for a Linux bug he delivered to an unnamed government agency.
Last year’s contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.
Dai Zovi, who congratulated Miller after his hack, didn’t participate in this year’s contest, saying it was time for someone else to win.
Shane Macaulay, who was Dai Zovi’s co-winner last year, spent much of Thursday trying to hack into the Fujitsu Vista laptop, at one point rushing back to his Vancouver area home to retrieve a file that he thought might help him hack into the system.
But it was all in vain.
“It’s one thing to find a vulnerability, it’s another thing to make working exploit code,” said Terri Forslof, TippingPoint’s Manager of Security Response.
Forslof said that a number of “high quality” researchers have said that they will attempt to hack the machines on Friday, the last day of the conference.
She expects both systems to be hacked on Friday, when contest rules will be further eased, and hackers will be able to attack popular third-party software that can be installed on the systems. “I don’t think we’ll have to take any home,” she said.
from source.
8 Comments so far
Leave a reply
[...] Gone in 2 minutes: Mac gets hacked first in contest [...]
acum ti-am vazut postul. deci prin urmare s-au castigat laptop-urile cu vista si macosx adica prin astea s-a trecut ca prin branza.
“So at the end of the last day of the contest, only the Sony VAIO laptop running Ubuntu was left standing. ”
Deci eu zic sa cumparati cat mai multe licente ca vad ca se merita. Dai un ban da sti ca face
nu nu nuu. stai asa baiatuu.
pe sistemul de operare direct nu s-au spart nici unul din alea 3.
in ziua a 2a cand i au lasat sa se dea si la browser part, atunci a picat mac os…. in 2 sec.
deci mai ramaneau vista si linux in competitie.
in a 3a zi au zis ca au voie sa incerce sa sparga si aplicatii 3rd party de pe sistemele ramase.
si aici a picat vista cu ceva chestie prin flash bug.
Deci cumparati in continuare sisteme, laptopuri etc cu Vista. Cu Vista merge sigur, din prima! vorba aia.
cu vista nu merge nimic din prima. tu nu poti sa ti-o freci la un shag cu vista. cel mai pizdos soft pe care il are pe un DVD intreg ramane notepad-ul ala 6 ani de “development”. is curios ce urmeaza. microsoft te tine la limita tehnologiei ! cea inferioara
merg toate din prima. plug& play si merg toate.
e ~2 gigs, nu un DVD intreg.
ai destule si out of the box. restul sunt 3rd party, sa aleaga fiecare ce vrea. ca altfel iar fac gura mare EU cu anti-trustu lor shit. (vezi cazul cu media player).
lasa Media Player-ul ca nu cunosc om pe planeta asta sa il foloseasca. Arata-mi tu un utilizator de windows fara BS Player sau VLC. Chiar te rog sa imi enumeri niste facilitati out of the box la vista. Cat are instalat pe hard? 2GB ? sa vad ce stie face pentru 2GB
pai daca cunosti doar romani si linux users, clar ca nu cunosti persoane care sa foloseasca WMP. Eu il folosesc, deci cunosti una bucata om.
Desigur, am vlc si alternative dar pt movies. pt mp3, wmp.
despre features in vista gasesti la: http://www.microsoft.com/windows/products/windowsvista/features/details/accessibility.mspx
si sunt 3 coloane: Ac-Ne | Ne-Wi | Wi-XP
[...] The actual reality is that Macs are the least secure operating system of all. You probably won’t ever have a virus though, as there aren’t enough Macs to justify a [...]